SigmaHQ/rules/windows/sysmon/sysmon_susp_driver_load.yml

title: Suspicious Driver Load from Temp
description: Detetcs a driver load from a temporary directory
author: Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 6
        ImageLoaded: '*\Temp\*'
    condition: selection
falsepositives:
    - there is a relevant set of false positives depending on applications in the envirnment 
level: medium
New rules and cleanup 2017-02-12 14:50:39 +00:00			`title: Suspicious Driver Load from Temp`
			`description: Detetcs a driver load from a temporary directory`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`author: Florian Roth`
			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`product: windows`
			`service: sysmon`
New rules and cleanup 2017-02-12 14:50:39 +00:00			`detection:`
			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`EventID: 6`
			`ImageLoaded: '\Temp\'`
New rules and cleanup 2017-02-12 14:50:39 +00:00			`condition: selection`
			`falsepositives:`
			`- there is a relevant set of false positives depending on applications in the envirnment`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: medium`