Techniques
Sample rules
Windows Vulnerable Driver Loaded
- source: splunk
- technicques:
- T1543.003
Description
The following analytic utilizes a known list of vulnerable Windows drivers to help defenders find potential persistence or privelege escalation via a vulnerable driver. This analytic uses Sysmon EventCode 6, driver loading. A known gap with this lookup is that it does not use the hash or known signer of the vulnerable driver therefore it is up to the defender to identify version and signing info and confirm it is a vulnerable driver.
Detection logic
`sysmon` EventCode=6
| lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description
| search is_driver = TRUE
| stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded driver_description
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_vulnerable_driver_loaded_filter`