DriverQuery.EXE Execution

calendar Oct 18, 2023 · attack.discovery  ·
Share on: linkedin copy

Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers

Sigma rule (View on GitHub)

 1title: DriverQuery.EXE Execution
 2id: a20def93-0709-4eae-9bd2-31206e21e6b2
 3related:
 4    - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd
 5      type: similar
 6status: experimental
 7description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers
 8references:
 9    - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
10    - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
11    - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023/01/19
14modified: 2023/09/29
15tags:
16    - attack.discovery
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        - Image|endswith: 'driverquery.exe'
23        - OriginalFileName: 'drvqry.exe'
24    filter_main_other: # These are covered in 9fc3072c-dc8f-4bf7-b231-18950000fadd to avoid duplicate alerting
25        - ParentImage|endswith:
26              - '\cscript.exe'
27              - '\mshta.exe'
28              - '\regsvr32.exe'
29              - '\rundll32.exe'
30              - '\wscript.exe'
31        - ParentImage|contains:
32              - '\AppData\Local\'
33              - '\Users\Public\'
34              - '\Windows\Temp\'
35    condition: selection and not 1 of filter_main_*
36falsepositives:
37    - Legitimate use by third party tools in order to investigate installed drivers
38level: medium # Level could be reduced to low if this utility is often used in your environment

References

Related rules

to-top