install driver

edit on GitHub
search on VirusTotal
rule:
  meta:
    name: install driver
    namespace: host-interaction/driver
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: basic block
      dynamic: call
    att&ck:
      - Persistence::Create or Modify System Process::Windows Service [T1543.003]
    mbc:
      - Hardware::Install Driver [C0037]
    references:
      - https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/set.htm
    examples:
      - af60700383b75727f5256a0000c1476f:0x1127E
  features:
    - or:
      - api: ntdll.NtLoadDriver
      - api: ZwLoadDriver
      - and:
        - number: 38 = SystemLoadAndCallImage
        - or:
          - api: NtSetSystemInformation
          - api: ZwSetSystemInformation
last edited: 2024-02-14 13:56:47