The hypothesis is that the detection of FWPKCLNT.SYS, associated with Winnti malware, indicates potential adversary persistence and privilege escalation within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage kernel-mode rootkits to evade detection and maintain long-term access.
YARA Rule
rule Winnti_malware_FWPK
{
meta:
description = "Detects a Winnti malware - FWPKCLNT.SYS"
author = "Florian Roth"
reference = "VTI research"
date = "2015-10-10"
score = 75
hash1 = "1098518786c84b0d31f215122275582bdcd1666653ebc25d50a142b4f5dabf2c"
hash2 = "9a684ffad0e1c6a22db1bef2399f839d8eff53d7024fb014b9a5f714d11febd7"
hash3 = "a836397817071c35e24e94b2be3c2fa4ffa2eb1675d3db3b4456122ff4a71368"
strings:
$s0 = "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\" fullword wide
$s1 = "%x:%d->%x:%d, Flag %s%s%s%s%s, seq %u, ackseq %u, datalen %u" fullword ascii
$s2 = "FWPKCLNT.SYS" fullword ascii
$s3 = "Port Layer" fullword wide
$s4 = "%x->%x, icmp type %d, code %d" fullword ascii
$s5 = "\\BaseNamedObjects\\{93144EB0-8E3E-4591-B307-8EEBFE7DB28E}" fullword wide
$s6 = "\\Ndi\\Interfaces" fullword wide
$s7 = "\\Device\\{93144EB0-8E3E-4591-B307-8EEBFE7DB28F}" fullword wide
$s8 = "Bad packet" fullword ascii
$s9 = "\\BaseNamedObjects\\EKV0000000000" fullword wide
$s10 = "%x->%x" fullword ascii
$s11 = "IPInjectPkt" fullword ascii /* Goodware String - occured 6 times */
condition:
uint16(0) == 0x5a4d and filesize < 642KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: A legitimate system update or patching process loads FWPKCLNT.SYS as part of Windows Defender or Windows Update
Filter/Exclusion: Check for process parent or command line containing wuauclt.exe or setup.exe
Example Filter: process.parent.name == "wuauclt.exe"
Scenario: A security tool or endpoint protection software (e.g., Microsoft Defender, CrowdStrike, or Bitdefender) uses FWPKCLNT.SYS for network filtering
Filter/Exclusion: Check for process name matching known security software (e.g., mpsvc.exe, cswd.exe, bdagent.exe)
Example Filter: process.name in ("mpsvc.exe", "cswd.exe", "bdagent.exe")
Scenario: A scheduled task runs a script or application that temporarily loads FWPKCLNT.SYS for network monitoring or traffic analysis
Filter/Exclusion: Check for task name or command line containing keywords like “monitor”, “traffic”, or “analysis”
Example Filter: process.command_line contains "monitor" or "traffic" or "analysis"
Scenario: A system administrator uses the netsh command to configure firewall rules, which may temporarily load FWPKCLNT.SYS
Filter/Exclusion: Check for process name netsh.exe or command line containing netsh
Example Filter: process.name == "netsh.exe"
Scenario: A legitimate application or service (e.g., a network diagnostic tool or a virtualization platform) uses FWPKCLNT.SYS for network interface management
Filter/Exclusion: Check for process name matching known diagnostic or virtualization tools (e.g., vboxnetadp.exe, diagtrack.exe)