| ID | Technique | Tactic |
|---|---|---|
| T1014 | Rootkit | Defense Evasion |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
Detection: Windows Driver Load Non-Standard Path
Description
The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity is significant because adversaries may use these non-standard paths to load malicious or vulnerable drivers, potentially bypassing security controls. If confirmed malicious, this could allow attackers to execute code at the kernel level, escalate privileges, or maintain persistence within the environment, posing a severe threat to system integrity and security.
Search
1`wineventlog_system` EventCode = 7045 ServiceType = "kernel mode driver"
2| regex ImagePath != "(?i)^(\w:\\\\Program Files\\\\
3|\w:\\\\Program Files \(x86\)\\\\
4|\w:\\\\Windows\\\\System32\\\\
5|\w:\\\\Windows\\\\SysWOW64\\\\
6|\w:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\
7|\w:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\
8|%SystemRoot%
9|\\\\SystemRoot\\\\
10|SystemRoot\\\\)"
11| stats count min(_time) as firstTime max(_time) as lastTime by
12 Computer EventCode ImagePath ServiceName ServiceType
13
14| rename Computer as dest
15| `security_content_ctime(firstTime)`
16| `security_content_ctime(lastTime)`
17| `windows_driver_load_non_standard_path_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log System 7045 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:System' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_driver_load_non_standard_path_filter | search * |
windows_driver_load_non_standard_path_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.
Known False Positives
False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A kernel mode driver was loaded from a non-standard path on $dest$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 36 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:System |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:System |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 8