LoFP / rare legitimate installation of kernel drivers via sc.exe

Techniques

• t1543
• t1543.003

Sample rules

New Kernel Driver Via SC.EXE

• source: sigma
• technicques:
  • t1543
  • t1543.003

Description

Detects creation of a new service (kernel driver) with the type “kernel”

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - create
  - config
  CommandLine|contains|all:
  - binPath
  - type
  - kernel
  Image|endswith: \sc.exe