New Kernel Driver Via SC.EXE
Detects creation of a new service (kernel driver) with the type "kernel"
Sigma rule (View on GitHub)
1title: New Kernel Driver Via SC.EXE
2id: 431a1fdb-4799-4f3b-91c3-a683b003fc49
3status: test
4description: Detects creation of a new service (kernel driver) with the type "kernel"
5references:
6 - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-07-14
9modified: 2022-08-08
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1543.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\sc.exe'
20 CommandLine|contains:
21 - 'create'
22 - 'config'
23 CommandLine|contains|all:
24 - 'binPath'
25 - 'type'
26 - 'kernel'
27 condition: selection
28falsepositives:
29 - Rare legitimate installation of kernel drivers via sc.exe
30level: medium
References
-
As we head into 2022, ransomware groups continue to plague our digital environment with new and interesting techniques to bypass Antivirus (AV) and Endpoint Detection and Response (EDR) solutions and ensuring the successful execution of their ransomware payloads. In December 2021, Stroz Friedberg’s Incident Response Services team engaged in a Digital Forensics and Incident […]
Read More
Related rules
- Driver Load From A Temporary Directory
- Moriya Rootkit - System
- Moriya Rootkit File Created
- New Service Creation Using PowerShell
- New Service Creation Using Sc.EXE