Techniques
Sample rules
Windows Driver Inventory
- source: splunk
- technicques:
- T1068
Description
The following hunting / inventory query assists defenders in identifying Drivers being loaded across the fleet. This query relies upon a PowerShell script input to be deployed to critical systems and beyond. If capturing all via the input, this will provide retrospection into drivers persisting. Note, that this is not perfect across a large fleet. Modify the query as you need to view the data differently.
Detection logic
`driverinventory`
| stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType
| rename host as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_driver_inventory_filter`