CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a00a114101ab33eda2e75c9cf2ddab57cccea821
hayabusa/rules/sigma/builtin/win_user_driver_loaded.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235) 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

53 lines
2.0 KiB
YAML
Raw Blame History

title: Suspicious Driver Loaded By User
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019/04/08
description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to
load or unload a device driver. With this privilege, the user can dynamically load
and unload device drivers or other code in to kernel mode. This user right does
not apply to Plug and Play device drivers. If you exclude privileged users/admins
and processes, which are allowed to do so, you are maybe left with bad programs
trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs)
and the usage of Sysinternals and various other tools. So you have to work with
a whitelist to find the bad stuff.
detection:
SELECTION_1:
EventID: 4673
SELECTION_2:
PrivilegeList: SeLoadDriverPrivilege
SELECTION_3:
Service: '-'
SELECTION_4:
ProcessName:
- '*\Windows\System32\Dism.exe'
- '*\Windows\System32\rundll32.exe'
- '*\Windows\System32\fltMC.exe'
- '*\Windows\HelpPane.exe'
- '*\Windows\System32\mmc.exe'
- '*\Windows\System32\svchost.exe'
- '*\Windows\System32\wimserv.exe'
- '*\procexp64.exe'
- '*\procexp.exe'
- '*\procmon64.exe'
- '*\procmon.exe'
- '*\Google\Chrome\Application\chrome.exe'
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4))
falsepositives:
- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs
etc. - but not much. You have to baseline this according to your used products and
allowed tools. Also try to exclude users, which are allowed to load drivers.'
id: f63508a0-c809-4435-b3be-ed819394d612
level: medium
logsource:
product: windows
service: security
references:
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
status: experimental
tags:
- attack.t1089
- attack.defense_evasion
- attack.t1562.001
ruletype: SIGMA
Reference in New Issue View Git Blame Copy Permalink