Potential Privileged System Service Operation - SeLoadDriverPrivilege

Severity: medium
Author: xknow (@xknow_infosec), xorxes (@xor_xes)
Source: upstream

Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562.001` Impair Defenses: Disable or Modify Tools

Event coverage

Provider	Event ID	Title
Security-Auditing	4673	A privileged service was called.

Stages and Predicates

Stage 1: `selection_1`

PrivilegeList: SeLoadDriverPrivilege
Service: -

Stage 2: `not 1 of filter_main_*`

or:
ProcessName: 'C:\Windows\HelpPane.exe'
ProcessName: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
ProcessName: 'C:\Windows\System32\Dism.exe'
ProcessName: 'C:\Windows\System32\RuntimeBroker.exe'
ProcessName: 'C:\Windows\System32\ShellHost.exe'
ProcessName: 'C:\Windows\System32\SystemSettingsBroker.exe'
ProcessName: 'C:\Windows\System32\fltMC.exe'
ProcessName: 'C:\Windows\System32\mmc.exe'
ProcessName: 'C:\Windows\System32\rundll32.exe'
ProcessName: 'C:\Windows\System32\svchost.exe'
ProcessName: 'C:\Windows\System32\wimserv.exe'
ProcessName: 'C:\Windows\explorer.exe'
ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft'

Stage 3: `not 1 of filter_optional_*`

or:
or:
ProcessName|startswith: 'C:\Program Files (x86)\Dropbox\'
ProcessName|startswith: 'C:\Program Files\Dropbox\'
ProcessName|endswith: '\Dropbox.exe'
ProcessName|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
ProcessName|endswith: '\Google\Chrome\Application\chrome.exe'
ProcessName|endswith: '\procexp.exe'
ProcessName|endswith: '\procexp64.exe'
ProcessName|endswith: '\procmon.exe'
ProcessName|endswith: '\procmon64.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`PrivilegeList`	eq	`SeLoadDriverPrivilege`
`ProcessName`	ends_with	`\AppData\Local\Microsoft\Teams\current\Teams.exe` `\Dropbox.exe` `\Google\Chrome\Application\chrome.exe` `\procexp.exe` corpus 2 (sigma 2) `\procexp64.exe` corpus 2 (sigma 2) `\procmon.exe` corpus 2 (sigma 2) `\procmon64.exe` corpus 2 (sigma 2)
`ProcessName`	eq	`C:\Windows\HelpPane.exe` `C:\Windows\ImmersiveControlPanel\SystemSettings.exe` `C:\Windows\System32\Dism.exe` `C:\Windows\System32\RuntimeBroker.exe` `C:\Windows\System32\ShellHost.exe` `C:\Windows\System32\SystemSettingsBroker.exe` `C:\Windows\System32\fltMC.exe` `C:\Windows\System32\mmc.exe` `C:\Windows\System32\rundll32.exe` `C:\Windows\System32\svchost.exe` corpus 3 (sigma 3) `C:\Windows\System32\wimserv.exe` `C:\Windows\explorer.exe`
`ProcessName`	starts_with	`C:\Program Files (x86)\Dropbox\` `C:\Program Files\Dropbox\` `C:\Program Files\WindowsApps\Microsoft`
`Service`	eq	`-`