Suspicious VBoxDrvInst.exe Parameters
Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
Sigma rule (View on GitHub)
1title: Suspicious VBoxDrvInst.exe Parameters
2id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
3status: test
4description: |
5 Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
6 This allows to create values in the registry and install drivers.
7 For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
8references:
9 - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
10 - https://twitter.com/pabraeken/status/993497996179492864
11author: Konstantin Grishchenko, oscd.community
12date: 2020-10-06
13modified: 2021-11-27
14tags:
15 - attack.defense-evasion
16 - attack.t1112
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\VBoxDrvInst.exe'
23 CommandLine|contains|all:
24 - 'driver'
25 - 'executeinf'
26 condition: selection
27fields:
28 - ComputerName
29 - User
30 - CommandLine
31 - ParentCommandLine
32falsepositives:
33 - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
34level: medium
References
-
Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - LOLBAS-Project/LOLBAS
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry