sigmaDRL-1.1from SigmaHQ/sigma

Potential Recon Activity Using DriverQuery.EXE

Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers

Quality

FP risk

—

Forks

Views

Rule sourcerules/windows/process_creation/proc_creation_win_driverquery_recon.yml

title: Potential Recon Activity Using DriverQuery.EXE
id: 9fc3072c-dc8f-4bf7-b231-18950000fadd
related:
    - id: a20def93-0709-4eae-9bd2-31206e21e6b2
      type: similar
status: test
description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
references:
    - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
    - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
    - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-19
modified: 2023-09-29
tags:
    - attack.discovery
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: 'driverquery.exe'
        - OriginalFileName: 'drvqry.exe'
    selection_parent:
        - ParentImage|endswith:
              - '\cscript.exe'
              - '\mshta.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        - ParentImage|contains:
              - '\AppData\Local\'
              - '\Users\Public\'
              - '\Windows\Temp\'
    condition: all of selection_*
falsepositives:
    - Legitimate usage by some scripts might trigger this as well
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_recon/info.yml