Suspicious Driver Service Installation - System

Swachchhanda Shrawan Poudel (Nextron Systems)

Detects driver service installations from suspicious locations, indicating potential malware activity. Threat actors may install malicious/vulnerable drivers for various purposes, such as to bypass security products (EDR/AV) or gain kernel access to dump lsass etc. This technique is very commonly used in security product bypass attempts and is nowadays commonly used by ransomware groups/threat actors.

2026-01-27 00:00:00

None

f6f9095a-f2b2-4b69-ba19-92f1a2cd8c7e

attack.defense-evasion attack.t1562.001

Nextron Sigma feed only (private)