splunk · nasbench · Jan 6, 2026 · Dec 19, 2025 · Dec 19, 2025 · Dec 22, 2025
@@ -1,33 +1,34 @@
 name: Windows File Without Extension In Critical Folder
 id: 0dbcac64-963c-11ec-bf04-acde48001122
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-12-19'
 author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: TTP
-description: The following analytic detects the creation of files without extensions
-  in critical folders like "System32\Drivers." It leverages data from the Endpoint.Filesystem
-  datamodel, focusing on file paths and creation times. This activity is significant
-  as it may indicate the presence of destructive malware, such as HermeticWiper, which
-  drops driver components in these directories. If confirmed malicious, this behavior
-  could lead to severe system compromise, including boot sector wiping, resulting
-  in potential data loss and system inoperability.
+description: This analytic detects the creation of files without extensions in critical Windows system and driver-related directories, including but not limited to System32\Drivers, Windows\WinSxS, and other known Windows driver storage and loading paths. The detection has been expanded to comprehensively cover all commonly abused and legitimate Windows driver folder locations, increasing visibility into attempts to stage or deploy kernel-mode components. The analytic leverages telemetry from the Endpoint.Filesystem data model, with a focus on file creation events and file path analysis. File creation activity in these directories—particularly involving extensionless files—is highly suspicious, as it may indicate the presence of destructive or stealthy malware. This behavior is consistent with malware families such as HermeticWiper, which deploy kernel driver components into trusted Windows driver directories to obtain low-level access and execute destructive payloads. If confirmed malicious, this activity can result in severe system compromise, including the deployment of malicious drivers, boot-sector or filesystem destruction, and ultimately system inoperability and irreversible data loss.
 data_source:
 - Sysmon EventID 11
-search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem
-  where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*")
+search: |
+  | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem
+  where Filesystem.file_path IN("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*", "*\\WINDOWS\\inf\\*","*\\Program Files*", "*\\WINDOWS\\System32\\DriverStore\\*","*:\\Windows\\WinSxS\\*","*\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*","*\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*","*\\Windows\\servicing\\*", "*\\Windows\\ELAMBKUP\\*","*\\Windows\\Boot\\*","*\\System32\\Boot\\*","*\\System32\\Recovery\\*", "C:\\AMD\\*", "C:\\OEM\\*")
   by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
   Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
   Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id
-  Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` |
-  rex field="file_name" "\.(?<extension>[^\.]*$)" | where isnull(extension) | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter`'
+  Filesystem.user Filesystem.vendor_product 
+  | `drop_dm_object_name(Filesystem)` 
+  | rex field="file_name" "\.(?<extension>[^\.]*$)" 
+  | where isnull(extension) 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | `windows_file_without_extension_in_critical_folder_filter`
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the Filesystem responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
 known_false_positives: Unknown at this point
 references:
 - https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
+- https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
+- https://learn.microsoft.com/en-us/answers/questions/2184241/where-does-windows-installation-search-for-drivers
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
@@ -48,7 +49,9 @@ rba:
   - field: user
     type: user
     score: 90
-  threat_objects: []
+  threat_objects:
+  - field: file_name
+    type: file_name
 tags:
   analytic_story:
   - Data Destruction

@@ -1,8 +1,8 @@
 name: Windows Service Create Kernel Mode Driver
 id: 0b4e3b06-1b2b-4885-b752-cf06d12a90cb
-version: 7
-date: '2025-05-02'
-author: Michael Haag, Splunk
+version: 8
+date: '2025-12-19'
+author: Michael Haag, Teoderick Contreras Splunk
 status: production
 type: TTP
 description: The following analytic identifies the creation of a new kernel mode driver
@@ -17,15 +17,19 @@ data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe
-  Processes.process="*kernel*" by Processes.action Processes.dest Processes.original_file_name
+search: |
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
+    where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe)  Processes.process IN ("*kernel*", "*filesys*") Processes.process="*type*"
+  by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
   Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
-  Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_kernel_mode_driver_filter`'
+  Processes.user Processes.user_id Processes.vendor_product 
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_service_create_kernel_mode_driver_filter`
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -39,6 +43,8 @@ known_false_positives: False positives may be present based on common applicatio
   adding new drivers, however, filter as needed.
 references:
 - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
+- https://whiteknightlabs.com/2025/11/25/discreet-driver-loading-in-windows/
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-config
 drilldown_searches:
 - name: View the detection results for - "$user$" and "$dest$"
   search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'

@@ -1,7 +1,7 @@
 name: Windows Suspicious Driver Loaded Path
 id: 2ca1c4a1-8342-4750-9363-905650e0c933
-version: 5
-date: '2025-09-18'
+version: 6
+date: '2025-12-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -15,12 +15,13 @@ description: The following analytic detects the loading of drivers from
   leading to privilege escalation, persistence, or further system compromise.
 data_source:
 - Sysmon EventID 6
-search: '`sysmon` EventCode=6 ImageLoaded = "*.sys" NOT (ImageLoaded IN("*\\WINDOWS\\inf","*\\WINDOWS\\System32\\drivers\\*",
-  "*\\WINDOWS\\System32\\DriverStore\\FileRepository\\*","*:\Windows\\WinSxS\\*","*\\ProgramData\\Microsoft\\Windows
-  Defender\\Definition Updates\\*")) |  stats  min(_time) as firstTime max(_time)
-  as lastTime count by ImageLoaded dest dvc process_hash process_path signature signature_id
-  user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `windows_suspicious_driver_loaded_path_filter`'
+search: '`sysmon` EventCode=6 
+   ImageLoaded IN("*\\windows\\fonts\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*",
+  "*Recycle.bin*", "*\\Windows\\Media\\*","\\Windows\\repair\\*", "*\\PerfLogs\\*", "*:\\Windows\\Prefetch\\*", "*:\\Windows\\Cursors\\*", "*\\temp\\*", "*\\download*", "*\\appdata\\*") 
+   |  stats  min(_time) as firstTime max(_time) as lastTime count by ImageLoaded dest dvc process_hash process_path signature signature_id user_id vendor_product 
+   | `security_content_ctime(firstTime)` 
+   | `security_content_ctime(lastTime)`
+   | `windows_suspicious_driver_loaded_path_filter`'
 how_to_implement: To successfully implement this search, you need to be 
   ingesting logs with the driver loaded and Signature from your endpoints. If 
   you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
@@ -29,6 +30,7 @@ known_false_positives: Limited false positives will be present. Some
 references:
 - https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/
 - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/
+- https://whiteknightlabs.com/2025/11/25/discreet-driver-loading-in-windows/
 drilldown_searches:
 - name: View the detection results for - "$dest$"
   search: '%original_detection_search% | search  dest = "$dest$"'