Suspicious Driver Service Installation

Rule Info

Name
Suspicious Driver Service Installation
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to install a suspicious driver service using the 'sc.exe' command. It has been observed that adversaries use this technique to install malicious/vulnerable drivers to bypass/disrupt security solutions such as EDRs. This technique is often used in conjunction with other techniques to establish persistence and maintain control over the compromised system.
Reference
https://www.security.com/sites/default/files/2025-02/2025_02_Ransomware_2025.pdf
Date
2026-01-27 00:00:00
Modified
None
Id
61268eb3-3eb0-4e74-a245-2b8cd7f5c583
Tags
attack.defense-evasion attack.t1562.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022