Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Privileged System Service Operation - SeLoadDriverPrivilege

Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
xknow, xorxesCreated Mon Apr 08Updated Sun Mar 29f63508a0-c809-4435-b3be-ed819394d612windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic5 selectors
detection:
    selection_1:
        EventID: 4673
        PrivilegeList: 'SeLoadDriverPrivilege'
        Service: '-'
    filter_main_exact:
        ProcessName:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\HelpPane.exe'
            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
            - 'C:\Windows\System32\Dism.exe'
            - 'C:\Windows\System32\fltMC.exe'
            - 'C:\Windows\System32\mmc.exe'
            - 'C:\Windows\System32\rundll32.exe'
            - 'C:\Windows\System32\RuntimeBroker.exe'
            - 'C:\Windows\System32\ShellHost.exe'
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\System32\SystemSettingsBroker.exe'
            - 'C:\Windows\System32\wimserv.exe'
    filter_optional_others:
        ProcessName|endswith:
            - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
            - '\Google\Chrome\Application\chrome.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\procmon.exe'
            - '\procmon64.exe'
    filter_main_startswith:
        ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft'
    filter_optional_dropbox:
        ProcessName|startswith:
            - 'C:\Program Files (x86)\Dropbox\'
            - 'C:\Program Files\Dropbox\'
        ProcessName|endswith: '\Dropbox.exe'
    condition: selection_1 and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers.

References
1
Resolving title…
web.archive.org
2
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
f63508a0-c809-4435-b3be-ed819394d612
Status
test
Level
medium
Type
Detection
Created
Mon Apr 08
Modified
Sun Mar 29
Author
xknow, xorxes
Path
rules/windows/builtin/security/win_security_user_driver_loaded.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub