Expired or Revoked Driver Loaded

Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/06/26"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities
11to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Expired or Revoked Driver Loaded"
18references = [
19    "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN",
20]
21risk_score = 47
22rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d"
23severity = "medium"
24tags = [
25    "Domain: Endpoint",
26    "OS: Windows",
27    "Use Case: Threat Detection",
28    "Tactic: Privilege Escalation",
29    "Tactic: Defense Evasion",
30    "Data Source: Elastic Defend",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36driver where host.os.type == "windows" and process.pid == 4 and
37  dll.code_signature.status : ("errorExpired", "errorRevoked")
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1068"
45name = "Exploitation for Privilege Escalation"
46reference = "https://attack.mitre.org/techniques/T1068/"
47
48
49[rule.threat.tactic]
50id = "TA0004"
51name = "Privilege Escalation"
52reference = "https://attack.mitre.org/tactics/TA0004/"
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1036"
57name = "Masquerading"
58reference = "https://attack.mitre.org/techniques/T1036/"
59[[rule.threat.technique.subtechnique]]
60id = "T1036.001"
61name = "Invalid Code Signature"
62reference = "https://attack.mitre.org/techniques/T1036/001/"
63
64
65
66[rule.threat.tactic]
67id = "TA0005"
68name = "Defense Evasion"
69reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top