Expired or Revoked Driver Loaded

 1[metadata]
 2creation_date = "2023/06/26"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities
11to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Expired or Revoked Driver Loaded"
18references = [
19    "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN",
20]
21risk_score = 47
22rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d"
23severity = "medium"
24tags = [
25    "Domain: Endpoint",
26    "OS: Windows",
27    "Use Case: Threat Detection",
28    "Tactic: Privilege Escalation",
29    "Tactic: Defense Evasion",
30    "Data Source: Elastic Defend",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36driver where host.os.type == "windows" and process.pid == 4 and
37  dll.code_signature.status : ("errorExpired", "errorRevoked")
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1068"
45name = "Exploitation for Privilege Escalation"
46reference = "https://attack.mitre.org/techniques/T1068/"
47
48
49[rule.threat.tactic]
50id = "TA0004"
51name = "Privilege Escalation"
52reference = "https://attack.mitre.org/tactics/TA0004/"
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1036"
57name = "Masquerading"
58reference = "https://attack.mitre.org/techniques/T1036/"
59[[rule.threat.technique.subtechnique]]
60id = "T1036.001"
61name = "Invalid Code Signature"
62reference = "https://attack.mitre.org/techniques/T1036/001/"
63
64
65
66[rule.threat.tactic]
67id = "TA0005"
68name = "Defense Evasion"
69reference = "https://attack.mitre.org/tactics/TA0005/"