Sig for installing kernel service driver

modules/signatures/windows/driver_load.py

@@ -15,7 +15,6 @@
 
 from lib.cuckoo.common.abstracts import Signature
 
-
 class DriverLoad(Signature):
     name = "driver_load"
     description = "Loads a driver"
@@ -44,3 +43,36 @@ def on_call(self, call, process):
 
     def on_complete(self):
         return self.found_driverload
+
+class InstallKernelDriverService(Signature):
+    name = "install_kernel_driver_service"
+    description = "Installs a new kernel driver service, indicative of Bring Your Own Vulnerable Driver (BYOVD) attacks or a rootkit"
+    severity = 3
+    confidence = 80
+    categories = ["driver", "rootkit", "bypass", "wiper"]
+    authors = ["Kevin Ross"]
+    minimum = "1.3"
+    evented = True
+    enabled = True
+    ttps = ["T1543.003", "T1068", "T1547.006"]
+    mbcs = ["E1543.003", "F0011"]
+
+    filter_apinames = set(["CreateServiceA", "CreateServiceW"])
+
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+        self.found = False
+
+    def on_call(self, call, process):
+        service_type = self.get_argument(call, "ServiceType")
+        binary_path = self.get_argument(call, "BinaryPathName")
+
+        is_kernel_driver = (isinstance(service_type, str) and "SERVICE_KERNEL_DRIVER" in service_type) or \
+                           service_type in (1, "1", "0x00000001")
+
+        if is_kernel_driver and binary_path and binary_path.lower().endswith(".sys"):
+            self.found = True
+            self.mark_call()
+
+    def on_complete(self):
+        return self.found