Threat Hunting BYOVD Scenarios
Query
// Threat Hunting BYOVD Scenarios
// This query identifies recently created driver files on an endpoint with low global prevalence. It then cross-references these files with Windows Event ID 3004, where Windows Code Integrity validates the digital signature of kernel-mode drivers during memory loading. This detection can potentially highlight BYOVD (Bring Your Own Vulnerable Driver) scenarios.
let DriverwithLowPrevalence =
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".sys"
| invoke FileProfile(SHA1,1000)
| where GlobalPrevalence <= 150 or isempty(GlobalPrevalence)
| join kind=leftouter DeviceFileCertificateInfo on SHA1
| project FileName;
DeviceEvents
// Event ID 3004 — Kernel-mode Driver Validation
| where ReportId == "3004"
| where ActionType == @"DriverLoad"
| where FileName has_any(DriverwithLowPrevalence)
// #DefenderXDR #MDE #BYOVD #ThreatHunting #FileProfile #KQL
// MITRE ATT&CK Mapping
// Initial Access:
// Technique: T1190 (Exploit Public-Facing Application)
// The query may help detect exploitation attempts against public-facing applications.
// Technique: T1566.001 (Phishing: Spearphishing Attachment)
// The query could be relevant for detecting malicious attachments in spear-phishing emails.
// Execution:
// Technique: T1047 (Windows Management Instrumentation)
// The query involves using WMI for remote command execution.
// Persistence:
// Technique: T1136.001 (Create Account: Local Account)
// The query identifies local account creations.
// Defense Evasion:
// Technique: T1556 (Modify Authentication Process)
// The query may be related to conditional access policy changes.Explanation
This query is designed for threat hunting, specifically targeting scenarios involving "Bring Your Own Vulnerable Driver" (BYOVD). Here's a simplified breakdown:
-
Objective: The query aims to identify newly created driver files on a computer that are not commonly found globally. These files are then checked against Windows Event ID 3004, which is an event where Windows checks the digital signature of kernel-mode drivers when they are loaded into memory.
-
Process:
- Step 1: It looks for files with a ".sys" extension (which are typically driver files) that have been recently created on a device.
- Step 2: It checks the global prevalence of these files using their SHA1 hash. If a file is not widely prevalent (found in 150 or fewer instances globally) or if its prevalence is unknown, it is flagged.
- Step 3: It attempts to match these flagged files with any digital certificate information available.
- Step 4: It then checks if any of these flagged driver files have been loaded into memory, as indicated by Windows Event ID 3004.
-
Purpose: By identifying these low-prevalence drivers and checking if they are loaded, the query can potentially highlight scenarios where attackers might be using vulnerable drivers to compromise a system (BYOVD).
-
Relevance to MITRE ATT&CK:
- The query is mapped to several MITRE ATT&CK techniques, indicating its potential utility in detecting various attack vectors such as exploiting public-facing applications, spear-phishing, remote command execution, local account creation, and modifying authentication processes.
In summary, this query is a tool for detecting potentially malicious driver files that could be used in sophisticated attacks, by leveraging their low prevalence and checking their integrity during loading.
Details

Steven Lim
Released: August 27, 2024
Tables
Keywords
Operators