Expired or Revoked Driver Loaded
Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/26"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities
11to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Expired or Revoked Driver Loaded"
18references = [
19 "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN",
20]
21risk_score = 47
22rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Privilege Escalation",
29 "Tactic: Defense Evasion",
30 "Data Source: Elastic Defend",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36driver where host.os.type == "windows" and process.pid == 4 and
37 dll.code_signature.status : ("errorExpired", "errorRevoked")
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1068"
45name = "Exploitation for Privilege Escalation"
46reference = "https://attack.mitre.org/techniques/T1068/"
47
48
49[rule.threat.tactic]
50id = "TA0004"
51name = "Privilege Escalation"
52reference = "https://attack.mitre.org/tactics/TA0004/"
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1036"
57name = "Masquerading"
58reference = "https://attack.mitre.org/techniques/T1036/"
59[[rule.threat.technique.subtechnique]]
60id = "T1036.001"
61name = "Invalid Code Signature"
62reference = "https://attack.mitre.org/techniques/T1036/001/"
63
64
65
66[rule.threat.tactic]
67id = "TA0005"
68name = "Defense Evasion"
69reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Parent Process PID Spoofing
- Potential privilege escalation via CVE-2022-38028
- Service Control Spawned via Script Interpreter