LoFP / pnputil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

• t1547

Sample rules

Suspicious Driver Install by pnputil.exe

• source: sigma
• technicques:
  • t1547

Description

Detects when a possible suspicious driver is being installed via pnputil.exe lolbin

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - -i
  - /install
  - -a
  - /add-driver
  - '.inf'
  Image|endswith: \pnputil.exe