Detection rules › Splunk
Windows Vulnerable Driver Loaded
The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1543.003 Create or Modify System Process: Windows Service |
| Privilege Escalation | T1543.003 Create or Modify System Process: Windows Service |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 6 | Driver loaded |
Stages and Predicates
Stage 1: search
search EventCode=6
Stage 2: stats
stats BY ImageLoaded, dest, dvc, process_hash, process_path, signature, signature_id, user_id, vendor_product
Stage 3: lookup
lookup <lookup> ImageLoaded, driver_description, driver_name, is_driver
Stage 4: search
search is_driver=TRUE
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
is_driver | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Suspicious Driver Loaded Path (adds 1 filter)
- XMRIG Driver Loaded (adds 1 filter)