this analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat.

t1014
t1068
endpoint
splunk

Techniques

T1014
T1068

Sample rules

Windows Drivers Loaded by Signature

source: splunk
technicques:
- T1014
- T1068

Description

The following analytic assists with viewing all drivers being loaded by using Sysmon EventCode 6 (Driver Load). Sysmon provides some simple fields to assist with identifying suspicious drivers. Use this analytic to look at prevalence of driver (count), path of driver, signature status and hash. Review these fields with scrutiny until the ability to prove the driver is legitimate and has a purpose in the environment.

Detection logic

`sysmon` EventCode=6 
| stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists Hashes 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_drivers_loaded_by_signature_filter`