Techniques
Sample rules
Suspicious Driver Loaded Path
- source: splunk
- technicques:
- T1543.003
- T1543
Description
The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard directories. This activity is significant because legitimate drivers typically reside in specific system directories, and deviations may indicate malicious activity. If confirmed malicious, this could allow an attacker to execute code at the kernel level, potentially leading to privilege escalation, persistence, or further system compromise.
Detection logic
`sysmon` EventCode=6 ImageLoaded = "*.sys" NOT (ImageLoaded IN("*\\WINDOWS\\inf","*\\WINDOWS\\System32\\drivers\\*", "*\\WINDOWS\\System32\\DriverStore\\FileRepository\\*"))
| stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed
| rename ImageLoaded as file_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_driver_loaded_path_filter`