Potential Recon Activity Using DriverQuery.EXE

calendar Oct 18, 2023 · attack.discovery  ·
Share on: linkedin copy

Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers

Sigma rule (View on GitHub)

 1title: Potential Recon Activity Using DriverQuery.EXE
 2id: 9fc3072c-dc8f-4bf7-b231-18950000fadd
 3related:
 4    - id: a20def93-0709-4eae-9bd2-31206e21e6b2
 5      type: similar
 6status: experimental
 7description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
 8references:
 9    - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
10    - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
11    - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023/01/19
14modified: 2023/09/29
15tags:
16    - attack.discovery
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: 'driverquery.exe'
23        - OriginalFileName: 'drvqry.exe'
24    selection_parent:
25        - ParentImage|endswith:
26              - '\cscript.exe'
27              - '\mshta.exe'
28              - '\regsvr32.exe'
29              - '\rundll32.exe'
30              - '\wscript.exe'
31        - ParentImage|contains:
32              - '\AppData\Local\'
33              - '\Users\Public\'
34              - '\Windows\Temp\'
35    condition: all of selection_*
36falsepositives:
37    - Legitimate usage by some scripts might trigger this as well
38level: high

References

Related rules

to-top