false positives may be present based on common applications adding new drivers, however, filter as needed.

t1068
t1543
t1543.003
endpoint
splunk

Techniques

T1068
T1543
T1543.003

Sample rules

Windows Service Create Kernel Mode Driver

source: splunk
technicques:
- T1543.003
- T1543
- T1068

Description

The following analytic identifes a new kernel driver being added to Windows using sc.exe. Adding a Kernel driver is not common day to day and should be investigated to further understand the source.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process="*kernel*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_service_create_kernel_mode_driver_filter`