title: Suspicious VBoxDrvInst.exe Parameters
id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
description: Detect VBoxDrvInst.exe run whith parameters allowing processing INF file. This allows to create values in the registry and install drivers.
    For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
status: experimental
author: Konstantin Grishchenko, oscd.community
date: 2020/10/06
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
    - https://twitter.com/pabraeken/status/993497996179492864
tags:
    - attack.defense_evasion
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\VBoxDrvInst.exe'
        CommandLine|contains|all:
            - 'driver'
            - 'executeinf'
    condition: selection
fields:
    - ComputerName
    - User
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
level: medium