Uncommon driver loaded

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-11-09
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Rootkit (T1014)

Severity

Low

Description

An uncommon driver loaded.

Attacker's Goals

Gaining kernel-level to gain full control over the machine or disable security products.

Investigative actions

Investigate which process created the driver or how it has been loaded.

Variations

Uncommon driver loaded by a Web server process

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Rootkit (T1014)

Severity

High

Description

An uncommon driver loaded by a Web server process.

Attacker's Goals

Gaining kernel-level to gain full control over the machine or disable security products.

Investigative actions

Investigate which process created the driver or how it has been loaded.


Globally rare and unsigned driver loaded

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Rootkit (T1014)

Severity

Medium

Description

Globally rare and unsigned driver loaded.

Attacker's Goals

Gaining kernel-level to gain full control over the machine or disable security products.

Investigative actions

Investigate which process created the driver or how it has been loaded.


Uncommon driver with a globally rare vendor loaded as a service

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Rootkit (T1014)

Severity

Medium

Description

An uncommon driver with a globally rare vendor loaded as a service.

Attacker's Goals

Gaining kernel-level to gain full control over the machine or disable security products.

Investigative actions

Investigate which process created the driver or how it has been loaded.