title: Suspicious Driver Load from Temp
author: Florian Roth
date: 2017/02/12
description: Detects a driver load from a temporary directory
detection:
    SELECTION_1:
        EventID: 6
    SELECTION_2:
        ImageLoaded: '*\Temp\\*'
    condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- there is a relevant set of false positives depending on applications in the environment
id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
level: high
logsource:
    category: driver_load
    product: windows
modified: 2020/08/23
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1050
- attack.t1543.003
yml_filename: driver_load_susp_temp_use.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load