Skip to content

Commit

Permalink
Merge pull request #803 from mandiant/mr-tz-patch-3
Browse files Browse the repository at this point in the history 
Create enumerate-device-drivers-on-windows.yml
  • Loading branch information
@mr-tz
mr-tz authored Aug 7, 2023
2 parents e7d0b79 + ac07d47 commit 1f440be
Showing 1 changed file with 23 additions and 0 deletions.
23 changes: 23 additions & 0 deletions nursery/enumerate-device-drivers-on-windows.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
rule:
meta:
name: enumerate device drivers on Windows
namespace: collection
authors:
- "@mr-tz"
scope: function
att&ck:
- Discovery::Device Driver Discovery [T1652]
references:
- https://learn.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-registry-trees-and-keys
features:
- or:
- api: EnumDeviceDrivers
- string: /driverquery(.exe)?/i
- and:
- or:
- match: query or enumerate registry key
- match: query or enumerate registry value
- string: /System\\(CurrentControlSet|ControlSet001)\\Services/i
- string: /System\\(CurrentControlSet|ControlSet001)\\Control/i
- string: /System\\(CurrentControlSet|ControlSet001)\\Enum/i
- string: /System\\(CurrentControlSet|ControlSet001)\\HardwareProfiles/i

0 comments on commit 1f440be

Please sign in to comment.