splApache-2.0from splunk/security_content
Windows Driver Load Non-Standard Path
The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity is significant because adversaries may use these non-standard paths to load malicious or vulnerable drivers, potentially bypassing security controls. If confirmed malicious, this could allow attackers to execute code at the kernel level, escalate privileges, or maintain persistence within the environment, posing a severe threat to system integrity and security.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_driver_load_non_standard_path.yml
`wineventlog_system` EventCode = 7045 ServiceType = "kernel mode driver" | regex ImagePath != "(?i)^(\w:\\\\Program Files\\\\|\w:\\\\Program Files \(x86\)\\\\|\w:\\\\Windows\\\\System32\\\\|\w:\\\\Windows\\\\SysWOW64\\\\|\w:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\|\w:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\|%SystemRoot%|\\\\SystemRoot\\\\|SystemRoot\\\\)" | stats count min(_time) as firstTime max(_time) as lastTime by
Computer EventCode ImagePath ServiceName ServiceType
| rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`