Hacking Team Disclosure Sample - file ndisk.sys

Hunt Hypothesis

The detection of the ndisk.sys file may indicate the presence of a compromised system or potential malware execution, as this file is associated with known malicious activity. SOC teams should proactively hunt for this file in Azure Sentinel to identify and mitigate potential threats before they lead to data exfiltration or system compromise.

YARA Rule

rule bin_ndisk  
{
    
    meta:
        description = "Hacking Team Disclosure Sample - file ndisk.sys"
        author = "Florian Roth"
        reference = "https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/"
        date = "2015-07-07"
        hash = "cf5089752ba51ae827971272a5b761a4ab0acd84"
    
    strings:
        $s1 = "\\Registry\\Machine\\System\\ControlSet00%d\\services\\ndisk.sys" fullword wide
        $s2 = "\\Registry\\Machine\\System\\ControlSet00%d\\Enum\\Root\\LEGACY_NDISK.SYS" fullword wide
        $s3 = "\\Driver\\DeepFrz" fullword wide
        $s4 = "Microsoft Kernel Disk Manager" fullword wide
        $s5 = "ndisk.sys" fullword wide
        $s6 = "\\Device\\MSH4DEV1" fullword wide
        $s7 = "\\DosDevices\\MSH4DEV1" fullword wide
        $s8 = "built by: WinDDK" fullword wide
    
    condition:
        uint16(0) == 0x5a4d and filesize < 30KB and 6 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/
• Source Rule

False Positive Guidance

• Scenario: System Update or Patch Deployment
  Description: A legitimate system update or patch deployment may include the ndisk.sys file as part of a driver update.
  Filter/Exclusion: Check for the presence of known update tools (e.g., Windows Update, Microsoft Update, or third-party patch management tools) or filter by file hashes from trusted sources (e.g., Microsoft’s official driver hashes).

• Scenario: Scheduled Disk Maintenance Job
  Description: A scheduled job running disk maintenance or defragmentation tasks may temporarily load the ndisk.sys driver.
  Filter/Exclusion: Filter by process name (e.g., defrag.exe, dfrgntfs.exe) or check for scheduled task IDs associated with disk maintenance.

• Scenario: Antivirus or Security Software Integration
  Description: Some security software may use or interact with ndisk.sys as part of their disk scanning or monitoring capabilities.
  Filter/Exclusion: Check for known security software (e.g., Bitdefender, Kaspersky, McAfee) and filter by process names or parent process context.

• Scenario: Virtualization or Hypervisor Management
  Description: Virtualization platforms like VMware or Hyper-V may use ndisk.sys for disk management or virtual disk operations.
  Filter/Exclusion: Filter by presence of virtualization software (e.g., vmtoolsd.exe, vmware-vmx.exe) or check for virtual machine identifiers in the event data.

• Scenario: Third-Party Driver Installation
  Description: A third-party driver installation (e.g., for storage controllers or RAID cards) may include ndisk.sys as part of the driver package.
  Filter/Exclusion: Filter by vendor information (e.g., LSI Logic, Adaptec) or check for known driver installation