LoFP / this analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat.

Techniques

• T1014
• T1068

Sample rules

Windows Drivers Loaded by Signature

• source: splunk
• technicques:
  • T1014
  • T1068

Description

The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.

Detection logic

`sysmon` EventCode=6 
| stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists Hashes 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_drivers_loaded_by_signature_filter`