67 lines
2.7 KiB
YAML
67 lines
2.7 KiB
YAML
title: Suspicious Driver Loaded By User
|
|
author: xknow (@xknow_infosec), xorxes (@xor_xes)
|
|
date: 2019/04/08
|
|
description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to
|
|
load or unload a device driver. With this privilege, the user can dynamically
|
|
load and unload device drivers or other code in to kernel mode. This user right
|
|
does not apply to Plug and Play device drivers. If you exclude privileged users/admins
|
|
and processes, which are allowed to do so, you are maybe left with bad programs
|
|
trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs)
|
|
and the usage of Sysinternals and various other tools. So you have to work with
|
|
a whitelist to find the bad stuff.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 4673
|
|
SELECTION_10:
|
|
ProcessName: '*\Windows\System32\wimserv.exe'
|
|
SELECTION_11:
|
|
ProcessName: '*\procexp64.exe'
|
|
SELECTION_12:
|
|
ProcessName: '*\procexp.exe'
|
|
SELECTION_13:
|
|
ProcessName: '*\procmon64.exe'
|
|
SELECTION_14:
|
|
ProcessName: '*\procmon.exe'
|
|
SELECTION_15:
|
|
ProcessName: '*\Google\Chrome\Application\chrome.exe'
|
|
SELECTION_2:
|
|
PrivilegeList: SeLoadDriverPrivilege
|
|
SELECTION_3:
|
|
Service: '-'
|
|
SELECTION_4:
|
|
ProcessName: '*\Windows\System32\Dism.exe'
|
|
SELECTION_5:
|
|
ProcessName: '*\Windows\System32\rundll32.exe'
|
|
SELECTION_6:
|
|
ProcessName: '*\Windows\System32\fltMC.exe'
|
|
SELECTION_7:
|
|
ProcessName: '*\Windows\HelpPane.exe'
|
|
SELECTION_8:
|
|
ProcessName: '*\Windows\System32\mmc.exe'
|
|
SELECTION_9:
|
|
ProcessName: '*\Windows\System32\svchost.exe'
|
|
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not ((SELECTION_4
|
|
or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
|
|
or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
|
|
or SELECTION_15)))
|
|
falsepositives:
|
|
- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs
|
|
etc. - but not much. You have to baseline this according to your used products
|
|
and allowed tools. Also try to exclude users, which are allowed to load drivers.'
|
|
id: f63508a0-c809-4435-b3be-ed819394d612
|
|
level: medium
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
references:
|
|
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
|
|
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
|
|
status: experimental
|
|
tags:
|
|
- attack.t1089
|
|
- attack.defense_evasion
|
|
- attack.t1562.001
|
|
yml_filename: win_user_driver_loaded.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
|
|
|