Techniques
Sample rules
Windows Driver Inventory
- source: splunk
- technicques:
- T1068
Description
The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.
Detection logic
`driverinventory`
| stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType
| rename host as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_driver_inventory_filter`