Suspicious Driver Install by pnputil.exe
Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
Sigma rule (View on GitHub)
1title: Suspicious Driver Install by pnputil.exe
2id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1
3status: test
4description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
5references:
6 - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
7 - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html
8author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger
9date: 2021-09-30
10modified: 2022-10-09
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.t1547
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains:
21 - '-i'
22 - '/install'
23 - '-a'
24 - '/add-driver'
25 - '.inf'
26 Image|endswith: '\pnputil.exe'
27 condition: selection
28fields:
29 - ComputerName
30 - User
31 - CommandLine
32 - ParentCommandLine
33falsepositives:
34 - Pnputil.exe being used may be performed by a system administrator.
35 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
36 - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
37level: medium
References
Related rules
- Atbroker Registry Change
- Potential RipZip Attack on Startup Folder
- Registry Persistence Mechanisms in Recycle Bin
- Startup/Logon Script Added to Group Policy Object
- Suspicious GrpConv Execution