IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Unsigned DLL Side-Loading from a Suspicious Folder Unusual File Creation - Alternate Data Stream »

› ›

Untrusted Driver Loaded

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Untrusted Driver Loaded

edit

Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
macOS
Threat Detection
Defense Evasion

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

driver where host.os.type == "windows" and process.pid == 4 and
  dll.code_signature.trusted != true and
  not dll.code_signature.status : ("errorExpired", "errorRevoked")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Subvert Trust Controls
- ID: T1553
- Reference URL: https://attack.mitre.org/techniques/T1553/
Sub-technique:
- Name: Code Signing Policy Modification
- ID: T1553.006
- Reference URL: https://attack.mitre.org/techniques/T1553/006/

« Unsigned DLL Side-Loading from a Suspicious Folder Unusual File Creation - Alternate Data Stream »