pnputil.exe being used may be performed by a system administrator.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml>sigma
technicques: t1547

Techniques

Detects when a possible suspicious driver is being installed via pnputil.exe lolbin

condition: selection
selection:
  CommandLine|contains:
  - -i
  - /install
  - -a
  - /add-driver
  - '.inf'
  Image|endswith: \pnputil.exe