New

The executive guide to generative AI

Read more

Untrusted Driver Loaded

edit

Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Defense Evasion

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
library where process.pid == 4 and
  dll.code_signature.trusted != true and
  not dll.code_signature.status : ("errorExpired", "errorRevoked")

Framework: MITRE ATT&CKTM

On this page

Was this helpful?
Feedback