Suspicious Driver Install by pnputil.exe
Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
Sigma rule (View on GitHub)
1title: Suspicious Driver Install by pnputil.exe
2id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1
3status: test
4description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
5references:
6 - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
7 - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html
8author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger
9date: 2021-09-30
10modified: 2022-10-09
11tags:
12 - attack.persistence
13 - attack.t1547
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains:
20 - '-i'
21 - '/install'
22 - '-a'
23 - '/add-driver'
24 - '.inf'
25 Image|endswith: '\pnputil.exe'
26 condition: selection
27fields:
28 - ComputerName
29 - User
30 - CommandLine
31 - ParentCommandLine
32falsepositives:
33 - Pnputil.exe being used may be performed by a system administrator.
34 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
35 - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
36level: medium
References
Related rules
- Atbroker Registry Change
- Potential RipZip Attack on Startup Folder
- Registry Persistence Mechanisms in Recycle Bin
- Suspicious GrpConv Execution
- WINEKEY Registry Modification