First Time Seen Driver Loaded

  1[metadata]
  2creation_date = "2022/12/19"
  3maturity = "production"
  4min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
  5min_stack_version = "8.6.0"
  6integration = ["endpoint"]
  7updated_date = "2024/03/28"
  8
  9[transform]
 10[[transform.osquery]]
 11label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link"
 12query = """
 13SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1")
 14"""
 15
 16[[transform.osquery]]
 17label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link"
 18query = """
 19SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0"
 20"""
 21
 22[rule]
 23author = ["Elastic"]
 24description = """
 25Identifies the load of a driver with an original file name and signature values that were observed
 26for the first time during the last 30 days. This rule type can help baseline drivers installation
 27within your environment.
 28"""
 29from = "now-9m"
 30index = ["logs-endpoint.events.library-*"]
 31language = "kuery"
 32license = "Elastic License v2"
 33name = "First Time Seen Driver Loaded"
 34note = """## Triage and analysis
 35
 36### Investigating First Time Seen Driver Loaded
 37
 38A driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.
 39
 40Attackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.
 41
 42Read the complete research on "Stopping Vulnerable Driver Attacks" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).
 43
 44This rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.
 45
 46> **Note**:
 47> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
 48
 49#### Possible investigation steps
 50
 51- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:
 52  - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.
 53  - Examine the digital signature of the driver, and check if it's valid.
 54  - Examine the creation and modification timestamps of the file:
 55    - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `"dll.Ext.relative_file_name_modify_time"` fields, with the values being seconds.
 56    - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.
 57      - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.
 58  - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 59- Investigate other alerts associated with the user/host during the past 48 hours.
 60- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
 61- Use Osquery to investigate the drivers loaded into the system.
 62  - $osquery_0
 63  - $osquery_1
 64- Identify the driver's `Device Name` and `Service Name`.
 65- Check for alerts from the rules specified in the `Related Rules` section.
 66
 67### False positive analysis
 68
 69- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.
 70
 71### Related Rules
 72
 73- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa
 74- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd
 75- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80
 76
 77### Response and remediation
 78
 79- Initiate the incident response process based on the outcome of the triage.
 80- Isolate the involved host to prevent further post-compromise behavior.
 81- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)
 82- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.
 83  - This can be done via PowerShell `Remove-Service` cmdlet.
 84- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
 85- If the triage identified malware, search the environment for additional compromised hosts.
 86  - Implement temporary network rules, procedures, and segmentation to contain the malware.
 87  - Stop suspicious processes.
 88  - Immediately block the identified indicators of compromise (IoCs).
 89  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
 90- Remove and block malicious artifacts identified during triage.
 91- Ensure that the Driver Signature Enforcement is enabled on the system.
 92- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
 93- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 94- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 95"""
 96references = ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks"]
 97risk_score = 47
 98rule_id = "df0fd41e-5590-4965-ad5e-cd079ec22fa9"
 99severity = "medium"
100tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
101timestamp_override = "event.ingested"
102type = "new_terms"
103
104query = '''
105event.category:"driver" and host.os.type:windows and event.action:"load"
106'''
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110[[rule.threat.technique]]
111id = "T1068"
112name = "Exploitation for Privilege Escalation"
113reference = "https://attack.mitre.org/techniques/T1068/"
114
115
116[rule.threat.tactic]
117id = "TA0004"
118name = "Privilege Escalation"
119reference = "https://attack.mitre.org/tactics/TA0004/"
120
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1543"
126name = "Create or Modify System Process"
127reference = "https://attack.mitre.org/techniques/T1543/"
128[[rule.threat.technique.subtechnique]]
129id = "T1543.003"
130name = "Windows Service"
131reference = "https://attack.mitre.org/techniques/T1543/003/"
132
133
134[rule.threat.tactic]
135id = "TA0003"
136name = "Persistence"
137reference = "https://attack.mitre.org/tactics/TA0003/"
138
139[rule.new_terms]
140field = "new_terms_fields"
141value = ["dll.pe.original_file_name", "dll.code_signature.subject_name"]
142[[rule.new_terms.history_window_start]]
143field = "history_window_start"
144value = "now-30d"