false positives may be present based on legitimate third party applications needing to install drivers. filter, or allow list known good drivers consistently being installed in these paths.

t1014
t1068
endpoint
splunk

Techniques

T1014
T1068

Sample rules

Windows Driver Load Non-Standard Path

source: splunk
technicques:
- T1014
- T1068

Description

The following analytic uses Windows EventCode 7045 to identify new Kernel Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries may move malicious or vulnerable drivers into these paths and load up. The idea is that this analytic provides visibility into drivers loading in non-standard file paths.

Detection logic

`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" NOT (ImagePath IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType 
| rename Computer as dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_driver_load_non_standard_path_filter`