Detection rules › Splunk
Windows Drivers Loaded by Signature
The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1068 Exploitation for Privilege Escalation |
| Defense Evasion | T1014 Rootkit |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 6 | Driver loaded |
Stages and Predicates
Stage 1: search
search EventCode=6
Stage 2: stats
stats BY ImageLoaded, dest, dvc, process_hash, process_path, signature, signature_id, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Suspicious Driver Loaded Path (adds 1 filter)
- XMRIG Driver Loaded (adds 1 filter)