Detection: Windows Driver Load Non-Standard Path

Description

The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity is significant because adversaries may use these non-standard paths to load malicious or vulnerable drivers, potentially bypassing security controls. If confirmed malicious, this could allow attackers to execute code at the kernel level, escalate privileges, or maintain persistence within the environment, posing a severe threat to system integrity and security.

 1`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" 
 2| regex ImagePath!="(?i)^(\w:\\\\Windows\\\\
 3|\w:\\\\Program\sFile
 4|\\\\systemroot\\\\
 5|%SystemRoot%
 6|system32\\\\)" 
 7| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType  
 8| rename Computer as dest  
 9| `security_content_ctime(firstTime)`  
10| `security_content_ctime(lastTime)`  
11| `windows_driver_load_non_standard_path_filter`

Data Source

Name Platform Sourcetype Source
Windows Event Log System 7045 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:System'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_driver_load_non_standard_path_filter search *
windows_driver_load_non_standard_path_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1014 Rootkit Defense Evasion
T1068 Exploitation for Privilege Escalation Privilege Escalation
KillChainPhase.EXPLOITAITON
NistCategory.DE_CM
Cis18Value.CIS_10
APT28
APT41
Rocke
TeamTNT
Winnti Group
APT28
APT29
APT32
APT33
BITTER
Cobalt Group
FIN6
FIN8
LAPSUS$
MoustachedBouncer
PLATINUM
Scattered Spider
Threat Group-3390
Tonto Team
Turla
Volt Typhoon
Whitefly
ZIRCONIUM

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.

Known False Positives

False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
A kernel mode driver was loaded from a non-standard path on $dest$. 36 60 60
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:System XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:System XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 4