title: Suspicious Driver Loaded By User
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019/04/08
description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to
    load or unload a device driver. With this privilege, the user can dynamically
    load and unload device drivers or other code in to kernel mode. This user right
    does not apply to Plug and Play device drivers. If you exclude privileged users/admins
    and processes, which are allowed to do so, you are maybe left with bad programs
    trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs)
    and the usage of Sysinternals and various other tools. So you have to work with
    a whitelist to find the bad stuff.
detection:
    SELECTION_1:
        EventID: 4673
    SELECTION_10:
        ProcessName: '*\Windows\System32\wimserv.exe'
    SELECTION_11:
        ProcessName: '*\procexp64.exe'
    SELECTION_12:
        ProcessName: '*\procexp.exe'
    SELECTION_13:
        ProcessName: '*\procmon64.exe'
    SELECTION_14:
        ProcessName: '*\procmon.exe'
    SELECTION_15:
        ProcessName: '*\Google\Chrome\Application\chrome.exe'
    SELECTION_2:
        PrivilegeList: SeLoadDriverPrivilege
    SELECTION_3:
        Service: '-'
    SELECTION_4:
        ProcessName: '*\Windows\System32\Dism.exe'
    SELECTION_5:
        ProcessName: '*\Windows\System32\rundll32.exe'
    SELECTION_6:
        ProcessName: '*\Windows\System32\fltMC.exe'
    SELECTION_7:
        ProcessName: '*\Windows\HelpPane.exe'
    SELECTION_8:
        ProcessName: '*\Windows\System32\mmc.exe'
    SELECTION_9:
        ProcessName: '*\Windows\System32\svchost.exe'
    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
        or SELECTION_15)))
falsepositives:
- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs
    etc. - but not much. You have to baseline this according to your used products
    and allowed tools. Also try to exclude users, which are allowed to load drivers.'
id: f63508a0-c809-4435-b3be-ed819394d612
level: medium
logsource:
    product: windows
    service: security
references:
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
status: experimental
tags:
- attack.t1089
- attack.defense_evasion
- attack.t1562.001
yml_filename: win_user_driver_loaded.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin