Potential Recon Activity Using DriverQuery.EXE

 1title: Potential Recon Activity Using DriverQuery.EXE
 2id: 9fc3072c-dc8f-4bf7-b231-18950000fadd
 3related:
 4    - id: a20def93-0709-4eae-9bd2-31206e21e6b2
 5      type: similar
 6status: test
 7description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
 8references:
 9    - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
10    - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
11    - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023-01-19
14modified: 2023-09-29
15tags:
16    - attack.discovery
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: 'driverquery.exe'
23        - OriginalFileName: 'drvqry.exe'
24    selection_parent:
25        - ParentImage|endswith:
26              - '\cscript.exe'
27              - '\mshta.exe'
28              - '\regsvr32.exe'
29              - '\rundll32.exe'
30              - '\wscript.exe'
31        - ParentImage|contains:
32              - '\AppData\Local\'
33              - '\Users\Public\'
34              - '\Windows\Temp\'
35    condition: all of selection_*
36falsepositives:
37    - Legitimate usage by some scripts might trigger this as well
38level: high

References

• Unwrapping Ursnifs Gifts

  

  In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the env…

  
  Read More

• Analyzing Ursnif’s Behavior Using a Malware Sandbox - VMRay

  

  Read VMRay Senior Threat Analyst, Tamas Boczan's behavioral analysis of an Ursnif sample, a known banking trojan.

  
  Read More

• SAIGON, the Mysterious Ursnif Fork | Google Cloud Blog

  

  Implications It is currently unclear whether SAIGON is representative of a broader evolution in the Ursnif malware ecosystem. The low number of SAIGON samples identified thus far—all of which have ...

  
  Read More

Related rules

• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• AD Groups Or Users Enumeration Using PowerShell - PoshModule
• AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
• AD Privileged Users or Groups Reconnaissance