Summary
This analytic rule detects kernel mode drivers being loaded from non-standard paths on Windows systems, specifically leveraging Windows EventCode 7045. The identification of drivers outside of common directories such as Windows, Program Files, or SystemRoot is crucial as it may indicate malicious activity. Adversaries often attempt to load drivers from atypical locations to evade security measures and maintain persistence or escalate privileges, thus posing a significant risk to system integrity. This rule utilizes regex matching to filter out legitimate driver paths, focusing instead on those that may signify an attack or rootkit installation.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
ATT&CK Techniques
- T1014
- T1068
Created: 2024-11-13