/
proc_creation_win_driverquery_recon.yml
38 lines (38 loc) · 1.29 KB
/
proc_creation_win_driverquery_recon.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
title: Potential Recon Activity Using DriverQuery.EXE
id: 9fc3072c-dc8f-4bf7-b231-18950000fadd
related:
- id: a20def93-0709-4eae-9bd2-31206e21e6b2
type: similar
status: experimental
description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
references:
- https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
- https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/01/19
modified: 2023/09/29
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: 'driverquery.exe'
- OriginalFileName: 'drvqry.exe'
selection_parent:
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- ParentImage|contains:
- '\AppData\Local\'
- '\Users\Public\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Legitimate usage by some scripts might trigger this as well
level: high