-
Notifications
You must be signed in to change notification settings - Fork 446
Expand file tree
/
Copy pathwindows_driver_load_non_standard_path.yml
More file actions
76 lines (76 loc) · 3.45 KB
/
windows_driver_load_non_standard_path.yml
File metadata and controls
76 lines (76 loc) · 3.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: Windows Driver Load Non-Standard Path
id: 9216ef3d-066a-4958-8f27-c84589465e62
version: 6
date: '2025-01-27'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the loading of new Kernel Mode Drivers
from non-standard paths using Windows EventCode 7045. It identifies drivers not
located in typical directories like Windows, Program Files, or SystemRoot. This
activity is significant because adversaries may use these non-standard paths to
load malicious or vulnerable drivers, potentially bypassing security controls. If
confirmed malicious, this could allow attackers to execute code at the kernel level,
escalate privileges, or maintain persistence within the environment, posing a severe
threat to system integrity and security.
data_source:
- Windows Event Log System 7045
search: >-
`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver"
| regex ImagePath!="(?i)^(\w:\\\\Windows\\\\|\w:\\\\Program\sFile|\\\\systemroot\\\\|%SystemRoot%|system32\\\\|\\\\ProgramData\\\\Microsoft\\\\Windows\sDefender\\\\Definition\sUpdates\\\\)"
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode
ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` |
`security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`
how_to_implement: To implement this analytic, the Windows EventCode 7045 will need
to be logged. The Windows TA for Splunk is also recommended.
known_false_positives: False positives may be present based on legitimate third party
applications needing to install drivers. Filter, or allow list known good drivers
consistently being installed in these paths.
references:
- https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/
- https://attack.mitre.org/techniques/T1014/
- https://www.fuzzysecurity.com/tutorials/28.html
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: A kernel mode driver was loaded from a non-standard path on $dest$.
risk_objects:
- field: dest
type: system
score: 36
threat_objects: []
tags:
analytic_story:
- Windows Drivers
- CISA AA22-320A
- AgentTesla
- BlackByte Ransomware
- BlackSuit Ransomware
asset_type: Endpoint
mitre_attack_id:
- T1014
- T1068
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log
source: XmlWinEventLog:System
sourcetype: XmlWinEventLog