Suspicious VBoxDrvInst.exe Parameters
Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
Sigma rule (View on GitHub)
1title: Suspicious VBoxDrvInst.exe Parameters
2id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
3status: test
4description: |
5 Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
6 This allows to create values in the registry and install drivers.
7 For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
8references:
9 - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
10 - https://twitter.com/pabraeken/status/993497996179492864
11author: Konstantin Grishchenko, oscd.community
12date: 2020-10-06
13modified: 2021-11-27
14tags:
15 - attack.persistence
16 - attack.defense-evasion
17 - attack.t1112
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 Image|endswith: '\VBoxDrvInst.exe'
24 CommandLine|contains|all:
25 - 'driver'
26 - 'executeinf'
27 condition: selection
28falsepositives:
29 - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
30level: medium
References
-
Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - LOLBAS-Project/LOLBAS
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Disable Security Events Logging Adding Reg Key MiniNt
- Imports Registry Key From a File
- Imports Registry Key From an ADS
- Registry Entries For Azorult Malware
- Registry Modification Via Regini.EXE