Expired or Revoked Driver Loaded
Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/26"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities
13to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.library-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Expired or Revoked Driver Loaded"
20references = [
21 "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"
22]
23risk_score = 47
24rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31driver where host.os.type == "windows" and process.pid == 4 and
32 dll.code_signature.status : ("errorExpired", "errorRevoked")
33'''
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1068"
39name = "Exploitation for Privilege Escalation"
40reference = "https://attack.mitre.org/techniques/T1068/"
41
42
43[rule.threat.tactic]
44id = "TA0004"
45name = "Privilege Escalation"
46reference = "https://attack.mitre.org/tactics/TA0004/"
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1036"
52name = "Masquerading"
53reference = "https://attack.mitre.org/techniques/T1036/"
54
55[[rule.threat.technique.subtechnique]]
56id = "T1036.001"
57name = "Invalid Code Signature"
58reference = "https://attack.mitre.org/techniques/T1036/001/"
59
60
61[rule.threat.tactic]
62id = "TA0005"
63name = "Defense Evasion"
64reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
Digital Signatures for Kernel Modules on Windows Article 06/01/2017 This paper describes how to manage the signing process for kernel-mode software for Windows Vista. File name: kmsigning.doc 382 K...
Read More
Related rules
- Bypass UAC via Event Viewer
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Parent Process PID Spoofing
- Service Control Spawned via Script Interpreter