Expired or Revoked Driver Loaded

Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/06/26"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/01/09"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities
13to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Expired or Revoked Driver Loaded"
20references = [
21  "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"
22]
23risk_score = 47
24rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31driver where host.os.type == "windows" and process.pid == 4 and
32  dll.code_signature.status : ("errorExpired", "errorRevoked")
33'''
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1068"
39name = "Exploitation for Privilege Escalation"
40reference = "https://attack.mitre.org/techniques/T1068/"
41
42
43[rule.threat.tactic]
44id = "TA0004"
45name = "Privilege Escalation"
46reference = "https://attack.mitre.org/tactics/TA0004/"
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1036"
52name = "Masquerading"
53reference = "https://attack.mitre.org/techniques/T1036/"
54
55[[rule.threat.technique.subtechnique]]
56id = "T1036.001"
57name = "Invalid Code Signature"
58reference = "https://attack.mitre.org/techniques/T1036/001/"
59
60
61[rule.threat.tactic]
62id = "TA0005"
63name = "Defense Evasion"
64reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top