rules/windows/sysmon/sysmon_susp_driver_load.yml

title: Suspicious Driver Load from Temp
id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
description: Detects a driver load from a temporary directory
author: Florian Roth
tags:
    - attack.persistence
    - attack.t1050
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 6
        ImageLoaded: '*\Temp\\*'
    condition: selection
falsepositives:
    - there is a relevant set of false positives depending on applications in the environment 
level: medium
New rules and cleanup 2017-02-12 15:50:39 +01:00			`title: Suspicious Driver Load from Temp`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75`
Fixed typo 2018-07-10 09:14:37 -05:00			`description: Detects a driver load from a temporary directory`
Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00			`author: Florian Roth`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`tags:`
			`- attack.persistence`
			`- attack.t1050`
Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00			`product: windows`
			`service: sysmon`
New rules and cleanup 2017-02-12 15:50:39 +01:00			`detection:`
			`selection:`
Rule review and cleanup 2017-02-15 23:53:08 +01:00			`EventID: 6`
Escaped '\' to '\\' where required 2019-02-03 00:24:57 +01:00			`ImageLoaded: '\Temp\\'`
New rules and cleanup 2017-02-12 15:50:39 +01:00			`condition: selection`
			`falsepositives:`
Update sysmon_susp_driver_load.yml 2018-07-13 18:36:12 -05:00			`- there is a relevant set of false positives depending on applications in the environment`
Levels to low, medium, high, critical 2017-02-16 18:02:26 +01:00			`level: medium`