Untrusted Driver Loaded
Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/27"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[transform]
8[[transform.osquery]]
9label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link"
10query = """
11SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,
12issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =
13authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1")
14"""
15
16[[transform.osquery]]
17label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link"
18query = """
19SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,
20issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =
21authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0"
22"""
23
24
25[rule]
26author = ["Elastic"]
27description = """
28Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of
29unsigned or self-signed code.
30"""
31from = "now-9m"
32index = ["logs-endpoint.events.library-*"]
33language = "eql"
34license = "Elastic License v2"
35name = "Untrusted Driver Loaded"
36note = """## Triage and analysis
37
38### Investigating Untrusted Driver Loaded
39
40Microsoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets.
41
42This protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.
43
44This rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.
45
46> **Note**:
47> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
48
49#### Possible investigation steps
50
51- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:
52 - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.
53 - Examine the file creation and modification timestamps:
54 - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.
55 - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.
56 - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.
57 - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
58- Investigate other alerts associated with the user/host during the past 48 hours.
59- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
60- Use Osquery to investigate the drivers loaded into the system.
61 - $osquery_0
62 - $osquery_1
63- Identify the driver's `Device Name` and `Service Name`.
64- Check for alerts from the rules specified in the `Related Rules` section.
65
66### False positive analysis
67
68- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.
69
70### Related Rules
71
72- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9
73- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd
74- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80
75
76### Response and remediation
77
78- Initiate the incident response process based on the outcome of the triage.
79- Isolate the involved host to prevent further post-compromise behavior.
80- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)
81- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.
82 - This can be done via PowerShell `Remove-Service` cmdlet.
83- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
84- If the triage identified malware, search the environment for additional compromised hosts.
85 - Implement temporary network rules, procedures, and segmentation to contain the malware.
86 - Stop suspicious processes.
87 - Immediately block the identified indicators of compromise (IoCs).
88 - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
89- Remove and block malicious artifacts identified during triage.
90- Ensure that the Driver Signature Enforcement is enabled on the system.
91- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
92- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
93- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
94"""
95references = [
96 "https://github.com/hfiref0x/TDL",
97 "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN",
98]
99risk_score = 73
100rule_id = "d8ab1ec1-feeb-48b9-89e7-c12e189448aa"
101severity = "high"
102tags = [
103 "Domain: Endpoint",
104 "OS: Windows",
105 "Use Case: Threat Detection",
106 "Tactic: Defense Evasion",
107 "Resources: Investigation Guide",
108 "Data Source: Elastic Defend",
109]
110timestamp_override = "event.ingested"
111type = "eql"
112
113query = '''
114driver where host.os.type == "windows" and process.pid == 4 and
115 dll.code_signature.trusted != true and
116 not dll.code_signature.status : ("errorExpired", "errorRevoked", "errorCode_endpoint:*")
117'''
118
119
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1036"
124name = "Masquerading"
125reference = "https://attack.mitre.org/techniques/T1036/"
126[[rule.threat.technique.subtechnique]]
127id = "T1036.001"
128name = "Invalid Code Signature"
129reference = "https://attack.mitre.org/techniques/T1036/001/"
130
131
132
133[rule.threat.tactic]
134id = "TA0005"
135name = "Defense Evasion"
136reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Investigating Untrusted Driver Loaded
Microsoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets.
This protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.
This rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.
Note: This investigation guide uses the Osquery Markdown Plugin introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
Possible investigation steps
- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:
- Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the
dll.path
field. - Examine the file creation and modification timestamps:
- On Elastic Defend, those can be found in the
dll.Ext.relative_file_creation_time
anddll.Ext.relative_file_name_modify_time
fields. The values are in seconds. - Search for file creation events sharing the same file name as the
dll.name
field and identify the process responsible for the operation.- Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.
- On Elastic Defend, those can be found in the
- Use the driver SHA-256 (
dll.hash.sha256
field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
- Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the
- Investigate other alerts associated with the user/host during the past 48 hours.
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
- Use Osquery to investigate the drivers loaded into the system.
- $osquery_0
- $osquery_1
- Identify the driver's
Device Name
andService Name
. - Check for alerts from the rules specified in the
Related Rules
section.
False positive analysis
- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.
Related Rules
- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9
- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd
- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80
Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)
- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.
- This can be done via PowerShell
Remove-Service
cmdlet.
- This can be done via PowerShell
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Remove and block malicious artifacts identified during triage.
- Ensure that the Driver Signature Enforcement is enabled on the system.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
References
Related rules
- Startup Folder Persistence via Unsigned Process
- Delayed Execution via Ping
- Expired or Revoked Driver Loaded
- First Time Seen Driver Loaded
- Potential Masquerading as Business App Installer