Techniques
Sample rules
Windows Drivers Loaded by Signature
- source: splunk
- technicques:
- T1014
- T1068
Description
The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.
Detection logic
`sysmon` EventCode=6
| stats count min(_time) as firstTime max(_time) as lastTime by ImageLoaded dest dvc process_hash process_path signature signature_id user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_drivers_loaded_by_signature_filter`