SigmaHQ/rules/windows/process_creation/win_susp_vboxdrvInst.yml

title: Suspicious VBoxDrvInst.exe Parameters
id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
description: Detect VBoxDrvInst.exe run whith parameters allowing processing INF file. This allows to create values in the registry and install drivers.
    For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
status: experimental
author: Konstantin Grishchenko, oscd.community
date: 2020/10/06
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
    - https://twitter.com/pabraeken/status/993497996179492864
tags:
    - attack.defense_evasion
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\VBoxDrvInst.exe'
        CommandLine|contains|all:
            - 'driver'
            - 'executeinf'
    condition: selection
fields:
    - ComputerName
    - User
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
level: medium
Change title and update description 2020-10-06 16:52:31 +00:00			`title: Suspicious VBoxDrvInst.exe Parameters`
Create win_susp_vboxdrvInst.yml 2020-10-06 07:18:34 +00:00			`id: b7b19cb6-9b32-4fc4-a108-73f19acfe262`
Change title and update description 2020-10-06 16:52:31 +00:00			`description: Detect VBoxDrvInst.exe run whith parameters allowing processing INF file. This allows to create values in the registry and install drivers.`
			`For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys`
Create win_susp_vboxdrvInst.yml 2020-10-06 07:18:34 +00:00			`status: experimental`
			`author: Konstantin Grishchenko, oscd.community`
			`date: 2020/10/06`
			`references:`
			`- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml`
Change title and update description 2020-10-06 16:52:31 +00:00			`- https://twitter.com/pabraeken/status/993497996179492864`
Create win_susp_vboxdrvInst.yml 2020-10-06 07:18:34 +00:00			`tags:`
			`- attack.defense_evasion`
fixed typo in att&ck mapping tag 2020-10-06 09:22:19 +00:00			`- attack.t1112`
Create win_susp_vboxdrvInst.yml 2020-10-06 07:18:34 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
			`Image\|endswith: '\VBoxDrvInst.exe'`
Remove asterisk from condition 2020-10-13 19:37:51 +00:00			`CommandLine\|contains\|all:`
			`- 'driver'`
			`- 'executeinf'`
Create win_susp_vboxdrvInst.yml 2020-10-06 07:18:34 +00:00			`condition: selection`
			`fields:`
			`- ComputerName`
			`- User`
			`- CommandLine`
			`- ParentCommandLine`
			`falsepositives:`
			`- Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process`
newline at the end of file 2020-10-06 07:35:12 +00:00			`level: medium`