heroui logo

New Kernel Driver Via SC.EXE

Sigma Rules

View Source
Summary
This detection rule identifies the creation of a new kernel driver service using the Windows Service Control Manager (SC.EXE). The rule triggers specifically when SC.EXE is executed with command line parameters indicating a kernel-type service. Kernel drivers are critical system components that operate at a low level and can be exploited by malicious actors to maintain persistence and escalate privileges. The rule leverages the process creation logs for detecting specific command line usages associated with the creation of such services. It looks for instances where the command includes 'create' or 'config' followed by parameters that specify the service type as 'kernel'. Given the potential legitimate use cases for creating kernel drivers, false positives may arise from rare legitimate installations. The detection has a medium severity level due to the risk associated with unauthorized kernel driver installations. Regular monitoring using this rule can help mitigate risks of persistent and privileged threats in a Windows environment.
Categories
  • Windows
  • Endpoint
  • Infrastructure
Data Sources
  • Process
  • Command
Created: 2022-07-14