Name:Windows Driver Inventory id:f87aa96b-369b-4a3e-9021-1bbacbfcb8fb version:3 date:2024-10-17 author:Michael Haag, Splunk status:experimental type:Hunting Description:The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Data_source:
search:`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter`
how_to_implement:To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work. known_false_positives:Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\drivers and look for non-standard paths. References: -https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244 drilldown_searches:
: tags: analytic_story: - 'Windows Drivers' asset_type:Endpoint confidence:10 impact:50 message:Drivers have been identified on $dest$. mitre_attack_id: - 'T1068' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Path' - 'host' - 'DriverType' risk_score:5 security_domain:endpoint
