Which SIEM platforms have a T1068 detection rule?

df00tech provides T1068 (Exploitation for Privilege Escalation) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1068 detection?

The T1068 detection is rated critical severity with medium confidence.

What are common false positives for T1068?

Common false positives for T1068 include: Legitimate use of virtualization software (VMware, VirtualBox) loading VBoxDrv.sys or vmware*.sys during installation or normal operation; Security research or penetration testing tools that use signed vulnerable drivers in controlled environments; Overclocking or hardware monitoring utilities (MSI Afterburner loading RTCore64.sys, ASUS GPU Tweak loading AsrDrv) on gaming or engineering workstations.

T1068

Exploitation for Privilege Escalation

Q: What data sources are required to detect Exploitation for Privilege Escalation (T1068)?

Detecting Exploitation for Privilege Escalation requires the following data sources: Driver: Driver Load, Process: Process Creation, Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint, Windows Security Event Log.

Privilege Escalation Last updated: April 17, 2026

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. A key sub-technique is Bring Your Own Vulnerable Driver (BYOVD), where adversaries drop a legitimately signed but vulnerable kernel driver onto a compromised machine and then exploit it to execute code in kernel mode, bypassing Driver Signature Enforcement. Real-world examples include Embargo ransomware using MS4Killer, ZeroCleare using VBoxDrv.sys, APT29 exploiting CVE-2021-36934, and Turla exploiting VBoxDrv.sys vulnerabilities.

What is T1068 Exploitation for Privilege Escalation?

Exploitation for Privilege Escalation (T1068) maps to the Privilege Escalation tactic — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.

This page provides production-ready detection logic for Exploitation for Privilege Escalation, covering the data sources and telemetry it touches: Driver: Driver Load, Process: Process Creation, Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint, Windows Security Event Log. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Privilege Escalation
Technique: T1068 Exploitation for Privilege Escalation
Canonical reference: https://attack.mitre.org/techniques/T1068/

Microsoft Sentinel / Defender

kusto

let SuspiciousDriverPaths = dynamic([
  "\\temp\\", "\\tmp\\", "\\downloads\\", "\\appdata\\local\\",
  "\\appdata\\roaming\\", "\\users\\public\\", "\\programdata\\",
  "\\$recycle.bin\\", "\\windows\\tasks\\", "\\perflogs\\"
]);
let KnownVulnerableDriverNames = dynamic([
  "rtcore64.sys", "rtcore32.sys", "gdrv.sys", "gdrv2.sys",
  "asrdrv10.sys", "asrdrv101.sys", "asrdrv102.sys",
  "aswarpot.sys", "vboxdrv.sys",
  "dbutil_2_3.sys", "dbutildrv2.sys",
  "mhyprot2.sys", "mhyprot3.sys",
  "iqvw64e.sys", "iqvw32e.sys",
  "winring0x64.sys", "winring0.sys",
  "capcom.sys", "msio64.sys", "msio32.sys",
  "ms4killer.sys", "glckio2.sys",
  "physmem.sys", "nvflash.sys",
  "nicm.sys", "nscm.sys",
  "spwizeng.sys", "bs_rcio64.sys"
]);
// Signal 1: Known vulnerable driver loaded (BYOVD)
let BYOVDDriverLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where tolower(FileName) in (KnownVulnerableDriverNames)
| extend DetectionSignal = "KnownVulnerableDriverLoaded"
| project Timestamp, DeviceName, AccountName, DetectionSignal,
  DriverFile=FileName, DriverPath=FolderPath,
  SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine,
  InitiatingProcessAccountName;
// Signal 2: Driver (.sys) loaded from user-writable or suspicious path
let SuspiciousPathDriverLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName endswith ".sys"
| where tolower(FolderPath) has_any (SuspiciousDriverPaths)
| extend DetectionSignal = "DriverLoadedFromSuspiciousPath"
| project Timestamp, DeviceName, AccountName, DetectionSignal,
  DriverFile=FileName, DriverPath=FolderPath,
  SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine,
  InitiatingProcessAccountName;
// Signal 3: New driver service registered pointing to suspicious path (pre-load step)
let SuspiciousDriverService = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\SYSTEM\\CurrentControlSet\\Services\\"
| where RegistryValueName == "ImagePath"
| where tolower(RegistryValueData) endswith ".sys"
| where tolower(RegistryValueData) has_any (SuspiciousDriverPaths)
  or tolower(RegistryValueData) has_any (KnownVulnerableDriverNames)
| extend DetectionSignal = "SuspiciousDriverServiceRegistered"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
  DetectionSignal, DriverFile=tostring(split(RegistryValueData, "\\")[-1]),
  DriverPath=RegistryValueData, SHA256="",
  InitiatingProcessFileName, InitiatingProcessCommandLine,
  InitiatingProcessAccountName;
// Signal 4: Security Event 4697 — new kernel driver service installed
let NewDriverServiceInstalled = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4697
| where ServiceType == "0x1" // Kernel driver
| where tolower(ServiceFileName) has_any (SuspiciousDriverPaths)
  or tolower(ServiceFileName) has_any (KnownVulnerableDriverNames)
| extend DetectionSignal = "KernelDriverServiceInstalled_4697"
| project Timestamp=TimeGenerated, DeviceName=Computer,
  AccountName=SubjectUserName, DetectionSignal,
  DriverFile=ServiceName, DriverPath=ServiceFileName, SHA256="",
  InitiatingProcessFileName="", InitiatingProcessCommandLine="",
  InitiatingProcessAccountName=SubjectUserName;
// Union all signals
BYOVDDriverLoad
| union SuspiciousPathDriverLoad
| union SuspiciousDriverService
| union NewDriverServiceInstalled
| sort by Timestamp desc

Multi-signal detection for T1068 Exploitation for Privilege Escalation, focused on the Bring Your Own Vulnerable Driver (BYOVD) sub-pattern. Covers four detection signals: (1) known vulnerable drivers loaded by name (RTCore64, DBUtil_2_3, MHyprot2, WinRing0, Capcom, etc. sourced from the LOLDrivers project), (2) any .sys driver loaded from user-writable or suspicious filesystem paths, (3) registry service key creation pointing to a .sys in a suspicious path (the pre-load registration step), and (4) Security Event 4697 (new kernel driver service installed) for drivers matching suspicious paths or known vulnerable names. Uses DeviceImageLoadEvents, DeviceRegistryEvents, and SecurityEvent tables.

critical severity medium confidence

Data Sources

Driver: Driver Load Process: Process Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint Windows Security Event Log

Required Tables

DeviceImageLoadEvents DeviceRegistryEvents SecurityEvent

False Positives

Legitimate use of virtualization software (VMware, VirtualBox) loading VBoxDrv.sys or vmware*.sys during installation or normal operation
Security research or penetration testing tools that use signed vulnerable drivers in controlled environments
Overclocking or hardware monitoring utilities (MSI Afterburner loading RTCore64.sys, ASUS GPU Tweak loading AsrDrv) on gaming or engineering workstations
Dell BIOS update utilities legitimately loading dbutil_2_3.sys or dbutildrv2.sys as part of authorized firmware updates
Kernel debugging sessions by authorized developers loading unsigned or test-signed drivers via WinDbg or similar
Software deployment tools (SCCM, PDQ Deploy) installing legitimate hardware vendor drivers that happen to match path patterns

Splunk

spl

index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=6)
  OR
  (sourcetype="WinEventLog:Security" EventCode=4697)
)
| eval _driver_path=lower(coalesce(ImageLoaded, ServiceFileName, ""))
| eval _driver_name=lower(mvindex(split(_driver_path, "\\"), -1))
| eval IsSuspiciousPath=if(
    match(_driver_path, "(\\\\temp\\\\|\\\\tmp\\\\|\\\\downloads\\\\|\\\\appdata\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\|\\\\perflogs\\\\)"),
    1, 0)
| eval IsKnownVulnDriver=if(
    match(_driver_name, "(rtcore64|rtcore32|gdrv2?\.sys|asrdrv10[12]?|aswarpot|vboxdrv|dbutil_2_3|dbutildrv2|mhyprot[23]?|iqvw(64|32)e|winring0(x64)?|capcom|msio(64|32)|ms4killer|glckio2|physmem|nvflash|nicm\.sys|nscm\.sys|bs_rcio64)"),
    1, 0)
| eval IsUnsignedOrInvalid=if(
    (EventCode=6 AND (Signed="false" OR SignatureStatus!="Valid")),
    1, 0)
| eval DetectionSignal=case(
    IsKnownVulnDriver=1, "KnownVulnerableDriverLoaded",
    IsSuspiciousPath=1 AND IsUnsignedOrInvalid=1, "UnsignedDriverFromSuspiciousPath",
    IsSuspiciousPath=1, "DriverLoadedFromSuspiciousPath",
    EventCode=4697, "KernelDriverServiceInstalled",
    true(), "Other")
| where IsKnownVulnDriver=1 OR IsSuspiciousPath=1 OR (EventCode=4697 AND match(_driver_path, "\.sys$"))
| eval DriverPath=coalesce(ImageLoaded, ServiceFileName)
| eval Signed=coalesce(Signed, "N/A")
| eval SignatureStatus=coalesce(SignatureStatus, "N/A")
| eval UserAccount=coalesce(User, SubjectUserName, "N/A")
| table _time, host, UserAccount, EventCode, DetectionSignal, DriverPath,
  Signed, SignatureStatus, Hashes, IsKnownVulnDriver, IsSuspiciousPath, IsUnsignedOrInvalid
| sort - _time

Multi-signal SPL detection for T1068 BYOVD and kernel driver exploitation. Combines Sysmon Event ID 6 (Driver Loaded — includes Signed, SignatureStatus, and Hashes fields) with Windows Security Event ID 4697 (A new service was installed in the system) filtered to kernel driver service type. Evaluates three signal dimensions: known vulnerable driver names from the LOLDrivers catalog, suspicious filesystem paths indicating user-writable locations, and unsigned or invalid signature status. The DetectionSignal field categorizes the finding type for analyst triage.

critical severity medium confidence

Data Sources

Driver: Driver Load Sysmon Event ID 6 Windows Security Event ID 4697

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Virtualization software installation loading VBoxDrv.sys, vmx86.sys, or similar legitimate hypervisor drivers
Hardware vendor utilities (MSI Afterburner, ASUS ROG software, Dell BIOS Update) loading their respective signed but vulnerable drivers for legitimate purposes
Security tools and endpoint agents that use kernel drivers for behavioral monitoring (CrowdStrike csagent.sys, Carbon Black cbdaemon.sys) from their standard install paths
Kernel developers or security researchers running authorized driver testing in lab environments with test signing enabled
Enterprise software using kernel drivers deployed via SCCM/Intune that extract to temp directories as part of their installer workflow

Elastic Security (EQL)

eql

any where
(
  (
    event.dataset == "windows.sysmon_operational"
    and event.code == "6"
    and (
      file.name : ("rtcore64.sys", "rtcore32.sys", "gdrv.sys", "gdrv2.sys",
        "asrdrv10.sys", "asrdrv101.sys", "asrdrv102.sys", "aswarpot.sys",
        "vboxdrv.sys", "dbutil_2_3.sys", "dbutildrv2.sys", "mhyprot2.sys",
        "mhyprot3.sys", "iqvw64e.sys", "iqvw32e.sys", "winring0x64.sys",
        "winring0.sys", "capcom.sys", "msio64.sys", "msio32.sys",
        "ms4killer.sys", "glckio2.sys", "physmem.sys", "nvflash.sys",
        "nicm.sys", "nscm.sys", "spwizeng.sys", "bs_rcio64.sys")
      or file.path : ("*\\temp\\*", "*\\tmp\\*", "*\\downloads\\*",
        "*\\appdata\\local\\*", "*\\appdata\\roaming\\*",
        "*\\users\\public\\*", "*\\programdata\\*",
        "*\\$recycle.bin\\*", "*\\windows\\tasks\\*", "*\\perflogs\\*")
    )
  )
  or
  (
    event.code == "4697"
    and winlog.event_data.ServiceType == "0x1"
    and (
      winlog.event_data.ServiceFileName : ("*rtcore64*", "*rtcore32*",
        "*gdrv.sys*", "*gdrv2.sys*", "*asrdrv10*", "*aswarpot*",
        "*vboxdrv*", "*dbutil_2_3*", "*dbutildrv2*", "*mhyprot*",
        "*iqvw64e*", "*iqvw32e*", "*winring0*", "*capcom.sys*",
        "*msio64*", "*msio32*", "*ms4killer*", "*physmem.sys*",
        "*nvflash*", "*nicm.sys*", "*nscm.sys*", "*bs_rcio64*")
      or winlog.event_data.ServiceFileName : ("*\\temp\\*", "*\\tmp\\*",
        "*\\downloads\\*", "*\\appdata\\*", "*\\users\\public\\*",
        "*\\programdata\\*", "*\\perflogs\\*")
    )
  )
)

Detects BYOVD (Bring Your Own Vulnerable Driver) kernel driver abuse and exploitation for privilege escalation (T1068). Signal 1 monitors Sysmon Event 6 (Driver Load) via ECS-normalized file.name and file.path for 28 known-vulnerable driver filenames and suspicious user-writable staging paths. Signal 2 monitors Windows Security Event 4697 (Service Installation) for kernel-type service registrations (ServiceType=0x1) pointing to blocklisted driver names or suspicious paths. Covers Embargo's MS4Killer, APT29's CVE-2021-36934 tooling, ZeroCleare's VBoxDrv.sys abuse, and Turla variants.

critical severity high confidence

Data Sources

Windows Sysmon Event ID 6 (Driver Load) via Elastic Agent Windows integration or Winlogbeat Windows Security Event ID 4697 (A service was installed in the system) via Elastic Agent or Winlogbeat

Required Tables

logs-windows.sysmon_operational-* logs-system.security-* winlogbeat-*

False Positives

Overclocking and hardware monitoring utilities (MSI Afterburner, EVGA Precision X1, ASUS GPU Tweak II) that load RTCore64.sys or RTCore32.sys for GPU MMIO register access — these are exact blocklist name matches and will fire on every host startup until allowlisted by verified Authenticode hash
VirtualBox and VMware installations writing vboxdrv.sys or vmci.sys during fresh install or version upgrades where the installer stages drivers in %TEMP% before moving them to the final driver path
ASUS Armoury Crate, Gigabyte App Center, and ASRock Polychrome Sync shipping AsrDrv10x.sys or GDrv.sys variants for fan control, LED management, and voltage monitoring on gaming and workstation endpoints

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  hostname AS Hostname,
  username AS UserAccount,
  eventid AS EventID,
  QIDNAME(qid) AS EventName,
  filename AS DriverFile,
  filepath AS DriverPath,
  CASE
    WHEN LOWER(filename) IN (
      'rtcore64.sys', 'rtcore32.sys', 'gdrv.sys', 'gdrv2.sys',
      'asrdrv10.sys', 'asrdrv101.sys', 'asrdrv102.sys', 'aswarpot.sys',
      'vboxdrv.sys', 'dbutil_2_3.sys', 'dbutildrv2.sys', 'mhyprot2.sys',
      'mhyprot3.sys', 'iqvw64e.sys', 'iqvw32e.sys', 'winring0x64.sys',
      'winring0.sys', 'capcom.sys', 'msio64.sys', 'msio32.sys',
      'ms4killer.sys', 'glckio2.sys', 'physmem.sys', 'nvflash.sys',
      'nicm.sys', 'nscm.sys', 'spwizeng.sys', 'bs_rcio64.sys'
    ) THEN 'KnownVulnerableDriverLoaded'
    WHEN LOWER(filepath) MATCHES '(?i).*\\\\(temp|tmp|downloads|appdata|users\\\\public|programdata|perflogs|\$recycle\.bin|windows\\\\tasks)\\\\.*'
      THEN 'DriverFromSuspiciousPath'
    ELSE 'KernelDriverServiceInstalled'
  END AS DetectionSignal,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN (
    'Microsoft Windows Security Event Log',
    'Microsoft Windows Sysmon'
  )
  AND (eventid = 6 OR eventid = 4697)
  AND (
    LOWER(filename) IN (
      'rtcore64.sys', 'rtcore32.sys', 'gdrv.sys', 'gdrv2.sys',
      'asrdrv10.sys', 'asrdrv101.sys', 'asrdrv102.sys', 'aswarpot.sys',
      'vboxdrv.sys', 'dbutil_2_3.sys', 'dbutildrv2.sys', 'mhyprot2.sys',
      'mhyprot3.sys', 'iqvw64e.sys', 'iqvw32e.sys', 'winring0x64.sys',
      'winring0.sys', 'capcom.sys', 'msio64.sys', 'msio32.sys',
      'ms4killer.sys', 'glckio2.sys', 'physmem.sys', 'nvflash.sys',
      'nicm.sys', 'nscm.sys', 'spwizeng.sys', 'bs_rcio64.sys'
    )
    OR LOWER(filepath) MATCHES '(?i).*\\\\(temp|tmp|downloads|appdata|users\\\\public|programdata|perflogs)\\\\.*'
  )
  AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC

QRadar AQL detection for BYOVD kernel driver loading and kernel-mode service installation (T1068). Correlates Sysmon EventID 6 (Driver Load) and Windows Security EventID 4697 (Service Installed as kernel driver) from their respective QRadar DSMs. Relies on QRadar's normalized filename and filepath properties populated by the Windows Security and Microsoft Windows Sysmon DSMs during log source parsing — the Sysmon DSM maps ImageLoaded to filepath and the driver basename to filename. The 86400000ms lookback window equals 24 hours.

critical severity high confidence

Data Sources

QRadar Microsoft Windows Security Event Log DSM (EventID 4697 — kernel driver service installation) QRadar Microsoft Windows Sysmon DSM (EventID 6 — driver load, ImageLoaded field)

Required Tables

events

False Positives

MSI Afterburner, ASUS GPU Tweak, and EVGA Precision tools loading RTCore64.sys or RTCore32.sys for GPU overclocking register access — these are exact blocklist names and produce high-volume FPs on gaming/engineering workstations until allowlisted by verified hash in QRadar's reference set
Legitimate VirtualBox installations loading VBoxDrv.sys — the QRadar Sysmon DSM must correctly map ImageLoaded to the filepath property; verify DSM mapping before tuning
Corporate endpoint management platforms (Tanium, BigFix, Ivanti Neurons) deploying kernel-mode agents that stage .sys files in %ProgramData% as part of managed agent installation workflows

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse "EventID=*" as EventID nodrop
| parse "ImageLoaded=*" as ImageLoaded nodrop
| parse "ServiceFileName=*" as ServiceFileName nodrop
| parse "ServiceType=*" as ServiceType nodrop
| parse "SubjectUserName=*" as SubjectUserName nodrop
| parse "User=*" as SysmonUser nodrop
| where EventID in ("6", "4697")
| if(EventID == "6", ImageLoaded, ServiceFileName) as DriverPath
| toLowerCase(DriverPath) as LowerDriverPath
| if(EventID == "6", SysmonUser, SubjectUserName) as UserAccount
| if(
    matches(LowerDriverPath, "(?i).*(rtcore64\.sys|rtcore32\.sys|gdrv2?\.sys|asrdrv10[012]?\.sys|aswarpot\.sys|vboxdrv\.sys|dbutil_2_3\.sys|dbutildrv2\.sys|mhyprot[23]?\.sys|iqvw(?:64|32)e\.sys|winring0(?:x64)?\.sys|capcom\.sys|msio(?:64|32)\.sys|ms4killer\.sys|glckio2\.sys|physmem\.sys|nvflash\.sys|nicm\.sys|nscm\.sys|spwizeng\.sys|bs_rcio64\.sys).*"),
    1, 0) as IsKnownVulnDriver
| if(
    matches(LowerDriverPath, "(?i).*\\\\(temp|tmp|downloads|appdata|users\\\\public|programdata|\\$recycle\.bin|windows\\\\tasks|perflogs)\\\\.*"),
    1, 0) as IsSuspiciousPath
| where IsKnownVulnDriver = 1 OR IsSuspiciousPath = 1
| if(IsKnownVulnDriver = 1, "KnownVulnerableDriverLoaded",
    if(IsSuspiciousPath = 1, "DriverFromSuspiciousPath",
    "KernelDriverServiceInstalled")) as DetectionSignal
| fields _messageTime, _sourceHost, UserAccount, EventID, DetectionSignal, DriverPath, IsKnownVulnDriver, IsSuspiciousPath
| sort by _messageTime desc

Sumo Logic detection for BYOVD kernel driver abuse and exploitation for privilege escalation (T1068). Parses Sysmon Event 6 (Driver Load) and Windows Security Event 4697 (Kernel Driver Service Installation) from standard source categories, evaluating each event against 28 known-vulnerable driver names (regex-matched) and 9 suspicious user-writable staging paths. The matches() function applies Java-style regex against the lowercased driver path. Discrete scoring fields (IsKnownVulnDriver, IsSuspiciousPath) are preserved in output for analyst triage context.

critical severity high confidence

Data Sources

Sumo Logic Windows Sysmon source category — Event 6 (Driver Load) with ImageLoaded field Sumo Logic Windows Security Event Log source category — Event 4697 (Service Installed) with ServiceFileName and ServiceType fields

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

GPU overclocking utilities (MSI Afterburner, EVGA Precision X1, ASUS GPU Tweak II) loading RTCore64.sys or RTCore32.sys for hardware register access — these are among the most common false positives and should be suppressed via allowlist lookup table keyed on SHA256 hash, not driver name
VirtualBox desktop virtualization loading VBoxDrv.sys from %TEMP% staging directories during fresh installs or version upgrades on developer workstations
Gigabyte App Center, ASRock Polychrome Sync, and ASUS Armoury Crate shipping AsrDrv10x.sys or GDrv.sys variants for LED, fan control, and voltage monitoring — common on gaming endpoints in BYOD environments

Google Chronicle / SecOps

yaral

rule T1068_BYOVD_KernelDriverPrivEsc {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects BYOVD (Bring Your Own Vulnerable Driver) technique and exploitation for privilege escalation (T1068). Monitors DRIVER_LOAD events for known-vulnerable driver names from the public LOLDRIVERS blocklist and for .sys files staged in suspicious user-writable paths used to bypass Driver Signature Enforcement."
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1068"
    reference = "https://attack.mitre.org/techniques/T1068/"
    version = "1.0"

  events:
    $e.metadata.event_type = "DRIVER_LOAD"
    $e.principal.hostname = $hostname
    (
      // Signal 1: Known vulnerable driver name (BYOVD blocklist)
      re.regex($e.target.file.full_path,
        `(?i)(rtcore64\.sys|rtcore32\.sys|gdrv2?\.sys|asrdrv10[012]?\.sys|aswarpot\.sys|vboxdrv\.sys|dbutil_2_3\.sys|dbutildrv2\.sys|mhyprot[23]?\.sys|iqvw(?:64|32)e\.sys|winring0(?:x64)?\.sys|capcom\.sys|msio(?:64|32)\.sys|ms4killer\.sys|glckio2\.sys|physmem\.sys|nvflash\.sys|nicm\.sys|nscm\.sys|spwizeng\.sys|bs_rcio64\.sys)`)
      or
      // Signal 2: Driver loaded from suspicious user-writable staging path
      re.regex($e.target.file.full_path,
        `(?i)\\(?:temp|tmp|downloads|appdata\\(?:local|roaming)|users\\public|programdata|\$recycle\.bin|windows\\tasks|perflogs)\\`)
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting BYOVD kernel driver privilege escalation (T1068). Operates on UDM DRIVER_LOAD events populated from Sysmon Event 6 ingested via Chronicle's Windows Sysmon log parser. Uses re.regex() against target.file.full_path to evaluate both known-vulnerable driver names (covering Embargo, BlackByte, APT29, ZeroCleare, and Turla toolsets) and suspicious user-writable staging paths. The single-event condition alerts immediately with no sequence dependency, maximising detection speed for this high-severity technique.

critical severity high confidence

Data Sources

Google Chronicle with Windows Sysmon log ingestion (DRIVER_LOAD UDM events from Sysmon EventID 6) WINDOWS_SYSMON Chronicle log type mapping target.file.full_path from ImageLoaded field

Required Tables

UDM events with metadata.event_type = DRIVER_LOAD WINDOWS_SYSMON Chronicle log type

False Positives

Legitimate hardware vendor utilities (ASUS Armoury Crate, Gigabyte App Center, MSI Dragon Center) loading GDrv.sys, AsrDrv10x.sys, or RTCore64.sys from standard %ProgramData% installation paths for fan, LED, and voltage hardware access
Gaming anti-cheat kernel drivers (Vanguard, EasyAntiCheat, BattlEye kernel module) where some vendors historically reused driver names present in BYOVD blocklists — verify Authenticode certificate against the allowlist before suppressing
Oracle VirtualBox loading VBoxDrv.sys from %TEMP% staging path during installer execution on developer workstations before final placement in C:\Program Files\Oracle\VirtualBox

CrowdStrike LogScale (CQL)

cql

// T1068 BYOVD — Known Vulnerable Driver Load and Suspicious Staging Path
#event_simpleName = DriverLoad
| lowerDriver := lower(ImageFileName)
| regex("rtcore64\.sys|rtcore32\.sys|gdrv2?\.sys|asrdrv10[012]?\.sys|aswarpot\.sys|vboxdrv\.sys|dbutil_2_3\.sys|dbutildrv2\.sys|mhyprot[23]?\.sys|iqvw(?:64|32)e\.sys|winring0(?:x64)?\.sys|capcom\.sys|msio(?:64|32)\.sys|ms4killer\.sys|glckio2\.sys|physmem\.sys|nvflash\.sys|nicm\.sys|nscm\.sys|spwizeng\.sys|bs_rcio64\.sys",
  field=lowerDriver, as=IsKnownVulnDriver)
| regex("\\\\(?:temp|tmp|downloads|appdata|users\\\\public|programdata|perflogs|\\$recycle\.bin|windows\\\\tasks)\\\\",
  field=lowerDriver, as=IsSuspiciousPath)
| IsKnownVulnDriver = true OR IsSuspiciousPath = true
| DetectionSignal := if(IsKnownVulnDriver = true,
    "KnownVulnerableDriverLoaded",
    "DriverFromSuspiciousPath")
| table(
    [timestamp, ComputerName, UserName, DetectionSignal,
     ImageFileName, SHA256HashData, IsKnownVulnDriver, IsSuspiciousPath])
| sort(timestamp, order=desc)

CrowdStrike LogScale (CQL) detection for BYOVD kernel driver loading using Falcon sensor's native DriverLoad telemetry (T1068). Uses regex() with as= parameter to create scored boolean fields without filtering, then applies a combined filter for analyst-facing triage. Falcon's DriverLoad event provides richer context than Sysmon Event 6 — including SHA256HashData for immediate IOC correlation and rapid prevention policy creation. The ImageFileName field contains the full driver path. Covers known-vulnerable drivers used by Embargo (MS4Killer), ZeroCleare (VBoxDrv.sys), APT29 (CVE-2021-36934 toolchain), and Turla (VBoxDrv.sys exploitation variants).

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR sensor — DriverLoad event (#event_simpleName=DriverLoad) Key fields: ImageFileName (full driver path), SHA256HashData, ComputerName, UserName

Required Tables

DriverLoad events from CrowdStrike Falcon sensor telemetry (Falcon Data Replicator or Event Search)

False Positives

MSI Afterburner and EVGA Precision X1 loading RTCore64.sys or RTCore32.sys for GPU overclocking MMIO register access — highest-volume false positive class; allowlist in Falcon policy by Authenticode certificate (Micro-Star International) rather than by name to avoid hash-chasing after vendor updates
Oracle VirtualBox loading VBoxDrv.sys — allowlist by Oracle's Authenticode signing certificate in Falcon's driver policy rather than by path, since the driver may appear in %TEMP% during upgrade workflows
ASUS ROG Armoury Crate loading AsrDrv10x.sys or GDrv.sys on gaming workstations — in enterprise environments this software is rarely business-justified and should still trigger investigation even if suppressed for specific verified hashes

Sigma rule & cross-platform mapping

The detection logic for Exploitation for Privilege Escalation (T1068) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1068 Sigma rules on detection.fyi

Platform-specific guides for T1068

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-17 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1BYOVD — Drop and Register Known Vulnerable Driver (RTCore64.sys Simulation)
Expected signal: Windows Security Event ID 4697 (New Service Installed): ServiceName=RTCore64, ServiceFileName=C:\Windows\Temp\RTCore64.sys, ServiceType=0x1 (Kernel Driver). Sysmon Event ID 1 (Process Create): Image=sc.exe, CommandLine containing 'create RTCore64 type= kernel'. DeviceRegistryEvents: RegistryKey containing \Services\RTCore64, RegistryValueName=ImagePath, RegistryValueData=C:\Windows\Temp\RTCore64.sys.
Test 2Suspicious Driver Load Path — Copy System Driver to Temp and Reload
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=C:\Users\Public\null_test.sys. Security Event ID 4697: ServiceFileName=C:\Users\Public\null_test.sys, ServiceType=0x1. DeviceRegistryEvents: RegistryKey containing \Services\TestPathDriver, ImagePath=C:\Users\Public\null_test.sys.
Test 3SeLoadDriverPrivilege Assignment via sc.exe (Privilege Telemetry)
Expected signal: Security Event ID 4697: ServiceName=FakePrivTest, ServiceType=0x1. Security Event ID 4672: PrivilegeList containing SeLoadDriverPrivilege assigned to the calling session's SubjectLogonId. System Event ID 7045 (New Service Installed) in System event log. sc.exe Process Create in Sysmon Event ID 1.
Test 4Linux Kernel Module Load from Non-Standard Path (Container/Linux)
Expected signal: Auditd SYSCALL record with syscall=finit_module or init_module, uid/euid of calling process. Syslog/kern.log message: 'df00tech_test: disagrees about version of symbol module_layout' or 'insmod: ERROR: could not insert module'. Auditd WATCH record for file access to /tmp/df00tech_test.ko. /var/log/audit/audit.log entries with key=t1068_test.
Test 5BYOVD — Enumerate Loaded Drivers for Vulnerable Candidates
Expected signal: Sysmon Event ID 1 (Process Create): driverquery.exe, sc.exe, powershell.exe executions with respective command lines. Security Event ID 4688 (if command-line auditing enabled) for same processes. WMI Activity log entries for Win32_SystemDriver query in Microsoft-Windows-WMI-Activity/Operational.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1068 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exploitation for Privilege Escalation

What is T1068 Exploitation for Privilege Escalation?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1068

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

What is T1068 Exploitation for Privilege Escalation?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1068

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

Get new detections in your inbox