EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Windows Drivers Loaded by Signature

The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.

MITRE ATT&CK

T1014T1068

Detection Query

`sysmon` EventCode=6
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY ImageLoaded dest dvc
       process_hash process_path signature
       signature_id user_id vendor_product
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_drivers_loaded_by_signature_filter`

Author

Michael Haag, Splunk

Created

2026-02-25

Data Sources

Sysmon EventID 6

References

Tags

Windows DriversCISA AA22-320AAgentTeslaBlackByte Ransomware
Raw Content
name: Windows Drivers Loaded by Signature
id: d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68
version: 7
date: '2026-02-25'
author: Michael Haag, Splunk
status: production
type: Hunting
description: The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.
data_source:
    - Sysmon EventID 6
search: |-
    `sysmon` EventCode=6
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY ImageLoaded dest dvc
           process_hash process_path signature
           signature_id user_id vendor_product
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_drivers_loaded_by_signature_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers.
known_false_positives: This analytic is meant to assist with identifying and hunting drivers loaded in the environment.
references:
    - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/
    - https://attack.mitre.org/techniques/T1014/
    - https://www.fuzzysecurity.com/tutorials/28.html
tags:
    analytic_story:
        - Windows Drivers
        - CISA AA22-320A
        - AgentTesla
        - BlackByte Ransomware
    asset_type: Endpoint
    mitre_attack_id:
        - T1014
        - T1068
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog