Try in Splunk Security Cloud

Description

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-03-30
  • Author: Michael Haag, Splunk
  • ID: d0a9323f-9411-4da6-86b2-18c184d750c0

Narrative

A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\system32\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.

Detections

Name Technique Type
Windows Driver Load Non-Standard Path Rootkit TTP
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Windows Registry Certificate Added Install Root Certificate, Subvert Trust Controls TTP
Windows Registry Modification for Safe Mode Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Windows Service Create Kernel Mode Driver Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation TTP
Windows System File on Disk Exploitation for Privilege Escalation Hunting

Reference

source | version: 1