Techniques
Sample rules
Suspicious Driver Loaded Path
- source: splunk
- technicques:
- T1543.003
- T1543
Description
This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into ntoskrnl.exe
for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review.
Detection logic
`sysmon` EventCode=6 ImageLoaded = "*.sys" NOT (ImageLoaded IN("*\\WINDOWS\\inf","*\\WINDOWS\\System32\\drivers\\*", "*\\WINDOWS\\System32\\DriverStore\\FileRepository\\*"))
| stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed
| rename ImageLoaded as file_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_driver_loaded_path_filter`