title: DriverQuery.EXE Execution
id: a20def93-0709-4eae-9bd2-31206e21e6b2
related:
    - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd
      type: similar
status: test
description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers
references:
    - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
    - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
    - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-19
modified: 2023-09-29
tags:
    - attack.discovery
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: 'driverquery.exe'
        - OriginalFileName: 'drvqry.exe'
    filter_main_other: # These are covered in 9fc3072c-dc8f-4bf7-b231-18950000fadd to avoid duplicate alerting
        - ParentImage|endswith:
              - '\cscript.exe'
              - '\mshta.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        - ParentImage|contains:
              - '\AppData\Local\'
              - '\Users\Public\'
              - '\Windows\Temp\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate use by third party tools in order to investigate installed drivers
level: medium # Level could be reduced to low if this utility is often used in your environment