Event ID 6 — Driver loaded
Description
The driver loaded events provides information about a driver being loaded on the system.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ImageLoaded UnicodeString → string | Full path of the driver loaded |
Hashes UnicodeString → string | Hashes captured by Sysmon driver |
Signed UnicodeString → string | Whether the loaded driver is signed |
Signature UnicodeString → string | The signer |
SignatureStatus UnicodeString → string | Status of the signature (i.e. valid) |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 6,
"version": 4,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:39:25.765471+00:00",
"event_record_id": 1323548,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 10072
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 01:39:25.719",
"ImageLoaded": "C:\\Windows\\System32\\drivers\\PROCMON24.SYS",
"Hashes": "SHA1=3886A86F350B056EFC662C893326206FE884CCD9,MD5=CBAED2F7F40A71A0F65CA1D7599CA530,SHA256=650B91475689539B99DB6499E3DF2C300AD15A0C70BB33F9470C8401E3248A45,IMPHASH=8477C11BEB2E153801A537EA17631A52",
"Signed": "true",
"Signature": "Microsoft Windows Hardware Compatibility Publisher",
"SignatureStatus": "Valid"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Malicious Driver Load source high: Detects loading of known malicious drivers via their hash.
- Malicious Driver Load By Name source medium: Detects loading of known malicious drivers via the file name of the drivers.
- PUA - Process Hacker Driver Load source high: Detects driver load of the Process Hacker tool
Show 7 more (10 total)
- PUA - System Informer Driver Load source medium: Detects driver load of the System Informer tool
- Driver Load From A Temporary Directory source high: Detects a driver load from a temporary directory
- Vulnerable Driver Load source high: Detects loading of known vulnerable drivers via their hash.
- Vulnerable Driver Load By Name source low: Detects the load of known vulnerable drivers via the file name of the drivers.
- Vulnerable HackSys Extreme Vulnerable Driver Load source high: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
- Vulnerable WinRing0 Driver Load source high: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
- WinDivert Driver Load source high: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
Splunk # view in reference
- Windows Drivers Loaded by Signature source: The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.
- Windows Suspicious Driver Loaded Path source: The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard directories. This activity is significant because legitimate drivers typically reside in specific system directories, and deviations may indicate malicious activity. If confirmed malicious, this could allow an attacker to execute code at the kernel level, potentially leading to privilege escalation, persistence, or further system compromise.
- Windows Vulnerable Driver Loaded source: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration.
Show 1 more (4 total)
- XMRIG Driver Loaded source: The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining.