Techniques
Sample rules
Windows Drivers Loaded by Signature
- source: splunk
- technicques:
- T1014
- T1068
Description
The following analytic assists with viewing all drivers being loaded by using Sysmon EventCode 6 (Driver Load). Sysmon provides some simple fields to assist with identifying suspicious drivers. Use this analytic to look at prevalence of driver (count), path of driver, signature status and hash. Review these fields with scrutiny until the ability to prove the driver is legitimate and has a purpose in the environment.
Detection logic
`sysmon` EventCode=6
| stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists Hashes
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_drivers_loaded_by_signature_filter`