SigmaHQ/rules/windows/sysmon/sysmon_susp_driver_load.yml

title: Suspicious Driver Load from Temp
description: Detects a driver load from a temporary directory
author: Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 6
        ImageLoaded: '*\Temp\\*'
    condition: selection
falsepositives:
    - there is a relevant set of false positives depending on applications in the environment 
level: medium
New rules and cleanup 2017-02-12 14:50:39 +00:00			`title: Suspicious Driver Load from Temp`
Fixed typo 2018-07-10 14:14:37 +00:00			`description: Detects a driver load from a temporary directory`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`author: Florian Roth`
			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`product: windows`
			`service: sysmon`
New rules and cleanup 2017-02-12 14:50:39 +00:00			`detection:`
			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`EventID: 6`
Escaped '\' to '\\' where required 2019-02-02 23:24:57 +00:00			`ImageLoaded: '\Temp\\'`
New rules and cleanup 2017-02-12 14:50:39 +00:00			`condition: selection`
			`falsepositives:`
Update sysmon_susp_driver_load.yml 2018-07-13 23:36:12 +00:00			`- there is a relevant set of false positives depending on applications in the environment`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: medium`