ELAM Driver Load Policy Weakened - Allow Known Bad Critical Drivers

Rule Info

Name
ELAM Driver Load Policy Weakened - Allow Known Bad Critical Drivers
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects a change in the setting of the driver load policy in order to allows the loading of known critical bad drivers. While this is the default setting, a machine might have had a more stricter configuration before and this is trying to weaken it.
Reference
https://learn.microsoft.com/en-us/windows-hardware/drivers/install/elam-driver-requirements
Date
2024-01-24 00:00:00
Modified
None
Id
f140494a-610f-4337-bfcd-489f8cfef606
Tags
attack.defense_evasion attack.t1564.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022