rare legitimate installation of kernel drivers via sc.exe

t1543
t1543.003
windows
sigma

Techniques

t1543
t1543.003

Sample rules

New Kernel Driver Via SC.EXE

source: sigma
technicques:
- t1543
- t1543.003

Description

Detects creation of a new service (kernel driver) with the type “kernel”

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_avira_driver:
- CommandLine|contains|all:
  - create netprotection_network_filter
  - 'type= kernel start= '
  - binPath= System32\drivers\netprotection_network_filter
  - DisplayName= netprotection_network_filter
  - group= PNP_TDI tag= yes
- CommandLine|contains|all:
  - create avelam binpath=C:\Windows\system32\drivers\avelam.sys
  - type=kernel start=boot error=critical group=Early-Launch
selection:
  CommandLine|contains:
  - create
  - config
  CommandLine|contains|all:
  - binPath
  - type
  - kernel
  Image|endswith: \sc.exe