Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious Driver Install by pnputil.exe

Detects when a possible suspicious driver is being installed via pnputil.exe lolbin

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Hai Vaknin, Avihay eldad, Austin SongerCreated Thu Sep 30Updated Sun Oct 09a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        CommandLine|contains:
            - '-i'
            - '/install'
            - '-a'
            - '/add-driver'
            - '.inf'
        Image|endswith: '\pnputil.exe'
    condition: selection
False Positives

Pnputil.exe being used may be performed by a system administrator.

Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
strontic.github.io
MITRE ATT&CK
Rule Metadata
Rule ID
a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1
Status
test
Level
medium
Type
Detection
Created
Thu Sep 30
Modified
Sun Oct 09
Author
Hai Vaknin, Avihay eldad, Austin Songer
Path
rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547
View on GitHub