Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
28 lines (16 sloc) 758 Bytes

#Windows Driver Analysis

Purpose: Find malware running in Windows drivers across a network

Data Required: List of drivers loaded on each endpoint

Collection Considerations: Typically use the driverquery command on each host.

Analysis Techniques: Stack counting


Examine driver entries for:

  • Impossible, zeroed or garbage link dates
  • Stack each binary image and look for unusual link dates
  • Unusual filenames or locations of binaries
  • Rare descriptions
  • Incorrect descriptions (grammar, typos, punctuation, etc)
  • Rare display names
  • Missing, invalid or unusual digital signatures

More Info