Techniques
Sample rules
DriverQuery.EXE Execution
- source: sigma
- technicques:
Description
Detect usage of the “driverquery” utility. Which can be used to perform reconnaissance on installed drivers
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_other:
- ParentImage|endswith:
- \cscript.exe
- \mshta.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- ParentImage|contains:
- \AppData\Local\
- \Users\Public\
- \Windows\Temp\
selection:
- Image|endswith: driverquery.exe
- OriginalFileName: drvqry.exe