Suspicious VBoxDrvInst.exe Parameters
Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
Sigma rule (View on GitHub)
1title: Suspicious VBoxDrvInst.exe Parameters
2id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
3status: test
4description: |
5 Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
6 This allows to create values in the registry and install drivers.
7 For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
8references:
9 - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
10 - https://twitter.com/pabraeken/status/993497996179492864
11author: Konstantin Grishchenko, oscd.community
12date: 2020-10-06
13modified: 2021-11-27
14tags:
15 - attack.persistence
16 - attack.defense-evasion
17 - attack.t1112
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 Image|endswith: '\VBoxDrvInst.exe'
24 CommandLine|contains|all:
25 - 'driver'
26 - 'executeinf'
27 condition: selection
28fields:
29 - ComputerName
30 - User
31 - CommandLine
32 - ParentCommandLine
33falsepositives:
34 - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
35level: medium
References
-
Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - LOLBAS-Project/LOLBAS
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird