splunk_escuHunting

Windows Driver Inventory

The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.

Detection Query

`driverinventory`
  | stats values(Path) min(_time) as firstTime max(_time) as lastTime count
    BY host DriverType
  | rename host as dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_driver_inventory_filter`

Author

Michael Haag, Splunk

References

https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244

Raw Content

name: Windows Driver Inventory
id: f87aa96b-369b-4a3e-9021-1bbacbfcb8fb
version: 8
creation_date: '2023-02-03'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: Hunting
description: The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.
data_source: []
search: |-
    `driverinventory`
      | stats values(Path) min(_time) as firstTime max(_time) as lastTime count
        BY host DriverType
      | rename host as dest
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_driver_inventory_filter`
how_to_implement: To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work.
known_false_positives: Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\drivers and look for non-standard paths.
references:
    - https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244
analytic_story:
    - Windows Drivers
asset_type: Endpoint
mitre_attack_id:
    - T1068
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log
          source: PwSh:DriverInventory
          sourcetype: PwSh:DriverInventory
      description: PORTED MANUAL TEST - Cannot be tested automatically, as it needs additional transforms and props to make the data ready.
      test_type: experimental