← Library
splApache-2.0from splunk/security_content

Windows Driver Inventory

The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_driver_inventory.yml
`driverinventory`
  | stats values(Path) min(_time) as firstTime max(_time) as lastTime count
    BY host DriverType
  | rename host as dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_driver_inventory_filter`