LOLBAS/yml/OSBinaries/Pnputil.yml
frack113 4f83231697
Update old sigma link (#303)
* Update SigmaHQ ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHQ ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHq ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHq ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
2023-10-18 11:30:34 -04:00

25 lines
835 B
YAML

---
Name: Pnputil.exe
Description: Used for installing drivers
Author: Hai vaknin (lux)
Created: 2020-12-25
Commands:
- Command: pnputil.exe -i -a C:\Users\hai\Desktop\mo.inf
Description: Used for installing drivers
Usecase: Add malicious driver
Category: Execute
Privileges: Administrator
MitreID: T1547
OperatingSystem: Windows 7, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\system32\pnputil.exe
Code_Sample:
- Code: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
Acknowledgement:
- Person: Hai Vaknin(Lux)
Handle: '@LuxNoBulIshit'
- Person: Avihay eldad
Handle: '@aloneliassaf'