Potential Privileged System Service Operation - SeLoadDriverPrivilege
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
Sigma rule (View on GitHub)
1title: Potential Privileged System Service Operation - SeLoadDriverPrivilege
2id: f63508a0-c809-4435-b3be-ed819394d612
3status: test
4description: |
5 Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.
6 With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.
7 This user right does not apply to Plug and Play device drivers.
8 If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.
9 This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
10references:
11 - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
12 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
13author: xknow (@xknow_infosec), xorxes (@xor_xes)
14date: 2019-04-08
15modified: 2023-01-20
16tags:
17 - attack.defense-evasion
18 - attack.t1562.001
19logsource:
20 product: windows
21 service: security
22detection:
23 selection_1:
24 EventID: 4673
25 PrivilegeList: 'SeLoadDriverPrivilege'
26 Service: '-'
27 filter_exact:
28 ProcessName:
29 - 'C:\Windows\System32\Dism.exe'
30 - 'C:\Windows\System32\rundll32.exe'
31 - 'C:\Windows\System32\fltMC.exe'
32 - 'C:\Windows\HelpPane.exe'
33 - 'C:\Windows\System32\mmc.exe'
34 - 'C:\Windows\System32\svchost.exe'
35 - 'C:\Windows\System32\wimserv.exe'
36 - 'C:\Windows\System32\RuntimeBroker.exe'
37 - 'C:\Windows\System32\SystemSettingsBroker.exe'
38 - 'C:\Windows\explorer.exe'
39 filter_endswith:
40 ProcessName|endswith:
41 - '\procexp64.exe'
42 - '\procexp.exe'
43 - '\procmon64.exe'
44 - '\procmon.exe'
45 - '\Google\Chrome\Application\chrome.exe'
46 - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
47 filter_startswith:
48 ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft'
49 condition: selection_1 and not 1 of filter_*
50falsepositives:
51 - Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers.
52level: medium
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility