
Summary
The rule "First Time Seen Driver Loaded" aims to identify when a driver is loaded into the Windows operating system for the first time within the last 30 days. This rule utilizes the KQL (Kibana Query Language) to filter events related to drivers, focusing on those categorized under the 'driver' event category. Such detections can help in establishing a baseline for newly installed drivers within an enterprise environment and can assist in detecting potentially malicious drivers that exploit vulnerabilities to execute code in kernel mode. Kernel-level code execution poses a risk as it can compromise system security, bypass security controls, and potentially be used for privilege escalation or persistent access by attackers. The rule sets out detailed investigation steps such as examining the driver's digital signature, creation timestamps, and any associations with suspicious processes. It also includes response and remediation strategies to address identified risks after potential detections. The associated MITRE ATT&CK techniques (T1068 for privilege escalation and T1543 for process creation/modification) further contextualize the potential threats posed by newly detected drivers.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Logon Session
- Application Log
- Driver
ATT&CK Techniques
- T1068
- T1543
- T1543.003
Created: 2022-12-19