Windows Vulnerable Driver Installed

Author: Dean Luxton
Source: upstream

The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Windows System service install EventCode 7045 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration. This detection is a Windows Event Log adaptation of the Sysmon driver loaded detection written by Michael Haag.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1543.003` Create or Modify System Process: Windows Service
Privilege Escalation	`T1543.003` Create or Modify System Process: Windows Service

Event coverage

Provider	Event ID	Title
Service-Control-Manager	7045

Stages and Predicates

Stage 1: `search`

search EventCode=7045 ServiceType="kernel mode driver"

Stage 2: `table`

table EventCode, ImagePath, ServiceName, ServiceType, _time, dest

Stage 3: `lookup`

lookup <lookup> ImagePath, driver_description, driver_name, is_driver

Stage 4: `search`

search is_driver=TRUE

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`7045` corpus 12 (splunk 12)
`ServiceType`	eq	`"kernel mode driver"` corpus 2 (splunk 2)
`is_driver`	eq	`TRUE` corpus 2 (splunk 2)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Invoke-Obfuscation Obfuscated IEX Invocation - System [sigma] (cross-vendor) (drops 2 filters this rule applies) (first-stage match only; downstream stages may differ)
Malicious Powershell Executed As A Service [splunk] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Randomly Generated Windows Service Name [splunk] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Windows Service Created with Suspicious Service Name [splunk] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)