← Back to Explore
sigmahighHunting
Driver Load From A Temporary Directory
Detects a driver load from a temporary directory
Detection Query
selection:
ImageLoaded|contains: \Temp\
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2017-02-12
Data Sources
windowsDriver Load Events
Platforms
windows
References
Tags
attack.persistenceattack.privilege-escalationattack.t1543.003
Raw Content
title: Driver Load From A Temporary Directory
id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
status: test
description: Detects a driver load from a temporary directory
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-02-12
modified: 2021-11-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: driver_load
product: windows
detection:
selection:
ImageLoaded|contains: '\Temp\'
condition: selection
falsepositives:
- There is a relevant set of false positives depending on applications in the environment
level: high