
Summary
This detection rule identifies the creation of a kernel mode driver using the `sc.exe` command, which is significant due to the uncommon nature of such operations in routine system usage. The rule employs data from Endpoint Detection and Response (EDR) agents focusing on process execution logs that provide command-line details. The creation of kernel drivers can indicate attempts by attackers to gain low-level access to the system, allowing for the ability to execute privileged commands that may compromise the system's security. The rule leverages Sysmon, Windows Event logs, and other process monitoring logs to evaluate if the creation of a driver is tied to malicious activity. The risk involves potential high privilege execution, making it crucial for organizations to monitor such behaviors closely.
Categories
- Endpoint
- Windows
- Infrastructure
Data Sources
- Process
- Windows Registry
- Application Log
ATT&CK Techniques
- T1543.003
- T1543
- T1068
Created: 2024-11-13