rules/windows/sysmon/sysmon_susp_driver_load.yml

title: Suspicious Driver Load from Temp
description: Detetcs a driver load from a temporary directory
author: Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 6
        ImageLoaded: '*\Temp\*'
    condition: selection
falsepositives:
    - there is a relevant set of false positives depending on applications in the envirnment 
level: medium
New rules and cleanup 2017-02-12 15:50:39 +01:00			`title: Suspicious Driver Load from Temp`
			`description: Detetcs a driver load from a temporary directory`
Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00			`author: Florian Roth`
			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00			`product: windows`
			`service: sysmon`
New rules and cleanup 2017-02-12 15:50:39 +01:00			`detection:`
			`selection:`
Rule review and cleanup 2017-02-15 23:53:08 +01:00			`EventID: 6`
			`ImageLoaded: '\Temp\'`
New rules and cleanup 2017-02-12 15:50:39 +01:00			`condition: selection`
			`falsepositives:`
			`- there is a relevant set of false positives depending on applications in the envirnment`
Levels to low, medium, high, critical 2017-02-16 18:02:26 +01:00			`level: medium`