Techniques
Sample rules
Potential Recon Activity Using DriverQuery.EXE
- source: sigma
- technicques:
Description
Detect usage of the “driverquery” utility to perform reconnaissance on installed drivers
Detection logic
condition: all of selection_*
selection_img:
- Image|endswith: driverquery.exe
- OriginalFileName: drvqry.exe
selection_parent:
- ParentImage|endswith:
- \cscript.exe
- \mshta.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- ParentImage|contains:
- \AppData\Local\
- \Users\Public\
- \Windows\Temp\