11name : Windows Driver Load Non-Standard Path
22id : 9216ef3d-066a-4958-8f27-c84589465e62
3- version : 7
4- date : ' 2025-05-02 '
3+ version : 8
4+ date : ' 2025-09-23 '
55author : Michael Haag, Splunk
66status : production
77type : TTP
@@ -14,36 +14,42 @@ description: The following analytic detects the loading of new Kernel Mode Drive
1414 escalate privileges, or maintain persistence within the environment, posing a severe
1515 threat to system integrity and security.
1616data_source :
17- - Windows Event Log System 7045
17+ - Windows Event Log System 7045
1818search : >-
19- `wineventlog_system` EventCode=7045 ServiceType="kernel mode driver"
20- | regex ImagePath!="(?i)^(\w:\\\\Windows\\\\|\w:\\\\Program\sFile|\\\\systemroot\\\\|%SystemRoot%|system32\\\\|\\\\ProgramData\\\\Microsoft\\\\Windows\sDefender\\\\Definition\sUpdates\\\\)"
21- | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode
22- ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` |
23- `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`
24- how_to_implement : To implement this analytic, the Windows EventCode 7045 will need
25- to be logged. The Windows TA for Splunk is also recommended.
26- known_false_positives : False positives may be present based on legitimate third party
27- applications needing to install drivers. Filter, or allow list known good drivers
28- consistently being installed in these paths.
19+ `wineventlog_system`
20+ EventCode = 7045
21+ ServiceType = "kernel mode driver"
22+ | regex ImagePath != "(?i)^(\w:\\\\Program Files\\\\|\w:\\\\Program Files \(x86\)\\\\|\w:\\\\Windows\\\\System32\\\\|\w:\\\\Windows\\\\SysWOW64\\\\|\w:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\|\w:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\|%SystemRoot%|\\\\SystemRoot\\\\|SystemRoot\\\\)"
23+ | stats count min(_time) as firstTime max(_time) as lastTime by
24+ Computer EventCode ImagePath ServiceName ServiceType
25+ | rename Computer as dest
26+ | `security_content_ctime(firstTime)`
27+ | `security_content_ctime(lastTime)`
28+ | `windows_driver_load_non_standard_path_filter`
29+ how_to_implement : |
30+ To implement this analytic, the Windows EventCode 7045 will need to be logged.
31+ The Windows TA for Splunk is also recommended.
32+ known_false_positives : |
33+ False positives may be present based on legitimate third party applications needing to install drivers.
34+ Filter, or allow list known good drivers consistently being installed in these paths.
2935references :
30- - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/
31- - https://attack.mitre.org/techniques/T1014/
32- - https://www.fuzzysecurity.com/tutorials/28.html
36+ - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/
37+ - https://attack.mitre.org/techniques/T1014/
38+ - https://www.fuzzysecurity.com/tutorials/28.html
3339drilldown_searches :
34- - name : View the detection results for - "$dest$"
35- search : ' %original_detection_search% | search dest = "$dest$"'
36- earliest_offset : $info_min_time$
37- latest_offset : $info_max_time$
38- - name : View risk events for the last 7 days for - "$dest$"
39- search : ' | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
40- starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
41- values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
42- as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
43- as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
44- | `security_content_ctime(lastTime)`'
45- earliest_offset : $info_min_time$
46- latest_offset : $info_max_time$
40+ - name : View the detection results for - "$dest$"
41+ search : ' %original_detection_search% | search dest = "$dest$"'
42+ earliest_offset : $info_min_time$
43+ latest_offset : $info_max_time$
44+ - name : View risk events for the last 7 days for - "$dest$"
45+ search : ' | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
46+ starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
47+ values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
48+ as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
49+ as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
50+ | `security_content_ctime(lastTime)`'
51+ earliest_offset : $info_min_time$
52+ latest_offset : $info_max_time$
4753rba :
4854 message : A kernel mode driver was loaded from a non-standard path on $dest$.
4955 risk_objects :
5359 threat_objects : []
5460tags :
5561 analytic_story :
56- - Windows Drivers
57- - CISA AA22-320A
58- - AgentTesla
59- - BlackByte Ransomware
60- - BlackSuit Ransomware
62+ - Windows Drivers
63+ - CISA AA22-320A
64+ - AgentTesla
65+ - BlackByte Ransomware
66+ - BlackSuit Ransomware
6167 asset_type : Endpoint
6268 mitre_attack_id :
63- - T1014
64- - T1068
69+ - T1014
70+ - T1068
6571 product :
66- - Splunk Enterprise
67- - Splunk Enterprise Security
68- - Splunk Cloud
72+ - Splunk Enterprise
73+ - Splunk Enterprise Security
74+ - Splunk Cloud
6975 security_domain : endpoint
7076tests :
71- - name : True Positive Test
72- attack_data :
73- - data :
74- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log
75- source : XmlWinEventLog:System
76- sourcetype : XmlWinEventLog
77+ - name : True Positive Test
78+ attack_data :
79+ - data :
80+ https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log
81+ source : XmlWinEventLog:System
82+ sourcetype : XmlWinEventLog
0 commit comments