Expired or Revoked Driver Loaded

Attackers may attempt to load expired or revoked drivers to bypass security controls and execute code in kernel mode. This technique can be used for privilege escalation or defense evasion. The loading of such drivers, especially by the System process (PID 4), is a strong indicator of malicious activity. The referenced Elastic detection rule, last updated on May 4, 2026, aims to identify such attempts by monitoring the code signature status of loaded drivers on Windows systems. The rule focuses on identifying drivers with “errorExpired” or “errorRevoked” status, providing defenders with a means to detect potentially malicious activity related to driver manipulation.

Attack Chain

1. The attacker gains initial access to the system (e.g., through social engineering or exploiting a vulnerability).
2. The attacker obtains or creates a malicious driver signed with an expired or revoked certificate, or an outdated driver with known vulnerabilities.
3. The attacker attempts to load the malicious driver onto the targeted Windows system.
4. The Windows operating system attempts to verify the driver’s code signature.
5. The code signature verification fails due to the driver’s expired or revoked certificate.
6. Despite the signature failure, the attacker attempts to force the system to load the driver, possibly by exploiting a bypass or misconfiguration.
7. The driver is loaded into kernel mode, granting the attacker elevated privileges and control over the system.
8. The attacker leverages the compromised driver to execute malicious code, escalate privileges, or evade security defenses.

Impact

A successful attack involving the loading of an expired or revoked driver can lead to complete system compromise. An attacker could gain unauthorized access to sensitive data, install malware, or disrupt critical services. The consequences range from data breaches to system instability and loss of integrity. The Elastic detection rule aims to detect these attempts before significant damage can occur.

Recommendation

• Deploy the Sigma rule provided below to detect instances of expired or revoked drivers being loaded (reference: Sigma rule).
• Investigate any alerts generated by the Sigma rule to determine the legitimacy and potential risk associated with the loaded driver (reference: Sigma rule).
• Enable endpoint detection and response (EDR) solutions like Elastic Defend to enhance visibility into driver loading events (reference: Elastic Defend).
• Regularly update driver blocklists to prevent the loading of known malicious or vulnerable drivers (reference: References URL).
• Monitor process creation events for unusual driver loading activity, particularly by the System process (PID 4) (reference: Sigma rule, process.pid == 4).