diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index 2b74ad5c5..d951be519 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -12,7 +12,7 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019-04-08 -modified: 2025-10-07 +modified: 2026-03-29 tags: - attack.defense-evasion - attack.t1562.001 @@ -26,24 +26,26 @@ detection: Service: '-' filter_main_exact: ProcessName: - - 'C:\Windows\System32\Dism.exe' - - 'C:\Windows\System32\rundll32.exe' - - 'C:\Windows\System32\fltMC.exe' - - 'C:\Windows\HelpPane.exe' - - 'C:\Windows\System32\mmc.exe' - - 'C:\Windows\System32\svchost.exe' - - 'C:\Windows\System32\wimserv.exe' - - 'C:\Windows\System32\RuntimeBroker.exe' - - 'C:\Windows\System32\SystemSettingsBroker.exe' - 'C:\Windows\explorer.exe' + - 'C:\Windows\HelpPane.exe' + - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + - 'C:\Windows\System32\Dism.exe' + - 'C:\Windows\System32\fltMC.exe' + - 'C:\Windows\System32\mmc.exe' + - 'C:\Windows\System32\rundll32.exe' + - 'C:\Windows\System32\RuntimeBroker.exe' + - 'C:\Windows\System32\ShellHost.exe' + - 'C:\Windows\System32\svchost.exe' + - 'C:\Windows\System32\SystemSettingsBroker.exe' + - 'C:\Windows\System32\wimserv.exe' filter_optional_others: ProcessName|endswith: - - '\procexp64.exe' - - '\procexp.exe' - - '\procmon64.exe' - - '\procmon.exe' - - '\Google\Chrome\Application\chrome.exe' - '\AppData\Local\Microsoft\Teams\current\Teams.exe' + - '\Google\Chrome\Application\chrome.exe' + - '\procexp.exe' + - '\procexp64.exe' + - '\procmon.exe' + - '\procmon64.exe' filter_main_startswith: ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft' filter_optional_dropbox: