false positives will be present. drill down into the driver further by version number and cross reference by signer. review the reference material in the lookup. in addition, modify the query to look within specific paths, which will remove a lot of \"normal\" drivers.

t1543.003
endpoint
splunk

Techniques

T1543.003

Sample rules

Windows Vulnerable Driver Loaded

source: splunk
technicques:
- T1543.003

Description

The following analytic utilizes a known list of vulnerable Windows drivers to help defenders find potential persistence or privelege escalation via a vulnerable driver. This analytic uses Sysmon EventCode 6, driver loading. A known gap with this lookup is that it does not use the hash or known signer of the vulnerable driver therefore it is up to the defender to identify version and signing info and confirm it is a vulnerable driver.

Detection logic

`sysmon` EventCode=6 
| lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description 
| search is_driver = TRUE 
| stats  min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded driver_description 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_vulnerable_driver_loaded_filter`