T1068

Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. A key sub-technique is Bring Your Own Vulnerable Driver (BYOVD), where adversaries drop a legitimately signed but vulnerable kernel driver onto a compromised machine and then exploit it to execute code in kernel mode, bypassing Driver Signature Enforcement. Real-world examples include Embargo ransomware using MS4Killer, ZeroCleare using VBoxDrv.sys, APT29 exploiting CVE-2021-36934, and Turla exploiting VBoxDrv.sys vulnerabilities.

Microsoft Sentinel / Defender

kusto

let SuspiciousDriverPaths = dynamic([
  "\\temp\\", "\\tmp\\", "\\downloads\\", "\\appdata\\local\\",
  "\\appdata\\roaming\\", "\\users\\public\\", "\\programdata\\",
  "\\$recycle.bin\\", "\\windows\\tasks\\", "\\perflogs\\"
]);
let KnownVulnerableDriverNames = dynamic([
  "rtcore64.sys", "rtcore32.sys", "gdrv.sys", "gdrv2.sys",
  "asrdrv10.sys", "asrdrv101.sys", "asrdrv102.sys",
  "aswarpot.sys", "vboxdrv.sys",
  "dbutil_2_3.sys", "dbutildrv2.sys",
  "mhyprot2.sys", "mhyprot3.sys",
  "iqvw64e.sys", "iqvw32e.sys",
  "winring0x64.sys", "winring0.sys",
  "capcom.sys", "msio64.sys", "msio32.sys",
  "ms4killer.sys", "glckio2.sys",
  "physmem.sys", "nvflash.sys",
  "nicm.sys", "nscm.sys",
  "spwizeng.sys", "bs_rcio64.sys"
]);
// Signal 1: Known vulnerable driver loaded (BYOVD)
let BYOVDDriverLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where tolower(FileName) in (KnownVulnerableDriverNames)
| extend DetectionSignal = "KnownVulnerableDriverLoaded"
| project Timestamp, DeviceName, AccountName, DetectionSignal,
  DriverFile=FileName, DriverPath=FolderPath,
  SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine,
  InitiatingProcessAccountName;
// Signal 2: Driver (.sys) loaded from user-writable or suspicious path
let SuspiciousPathDriverLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName endswith ".sys"
| where tolower(FolderPath) has_any (SuspiciousDriverPaths)
| extend DetectionSignal = "DriverLoadedFromSuspiciousPath"
| project Timestamp, DeviceName, AccountName, DetectionSignal,
  DriverFile=FileName, DriverPath=FolderPath,
  SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine,
  InitiatingProcessAccountName;
// Signal 3: New driver service registered pointing to suspicious path (pre-load step)
let SuspiciousDriverService = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\SYSTEM\\CurrentControlSet\\Services\\"
| where RegistryValueName == "ImagePath"
| where tolower(RegistryValueData) endswith ".sys"
| where tolower(RegistryValueData) has_any (SuspiciousDriverPaths)
  or tolower(RegistryValueData) has_any (KnownVulnerableDriverNames)
| extend DetectionSignal = "SuspiciousDriverServiceRegistered"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
  DetectionSignal, DriverFile=tostring(split(RegistryValueData, "\\")[-1]),
  DriverPath=RegistryValueData, SHA256="",
  InitiatingProcessFileName, InitiatingProcessCommandLine,
  InitiatingProcessAccountName;
// Signal 4: Security Event 4697 — new kernel driver service installed
let NewDriverServiceInstalled = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4697
| where ServiceType == "0x1" // Kernel driver
| where tolower(ServiceFileName) has_any (SuspiciousDriverPaths)
  or tolower(ServiceFileName) has_any (KnownVulnerableDriverNames)
| extend DetectionSignal = "KernelDriverServiceInstalled_4697"
| project Timestamp=TimeGenerated, DeviceName=Computer,
  AccountName=SubjectUserName, DetectionSignal,
  DriverFile=ServiceName, DriverPath=ServiceFileName, SHA256="",
  InitiatingProcessFileName="", InitiatingProcessCommandLine="",
  InitiatingProcessAccountName=SubjectUserName;
// Union all signals
BYOVDDriverLoad
| union SuspiciousPathDriverLoad
| union SuspiciousDriverService
| union NewDriverServiceInstalled
| sort by Timestamp desc

critical severity medium confidence

Data Sources

Driver: Driver Load Process: Process Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint Windows Security Event Log

Required Tables

DeviceImageLoadEvents DeviceRegistryEvents SecurityEvent

False Positives

Legitimate use of virtualization software (VMware, VirtualBox) loading VBoxDrv.sys or vmware*.sys during installation or normal operation
Security research or penetration testing tools that use signed vulnerable drivers in controlled environments
Overclocking or hardware monitoring utilities (MSI Afterburner loading RTCore64.sys, ASUS GPU Tweak loading AsrDrv) on gaming or engineering workstations
Dell BIOS update utilities legitimately loading dbutil_2_3.sys or dbutildrv2.sys as part of authorized firmware updates
Kernel debugging sessions by authorized developers loading unsigned or test-signed drivers via WinDbg or similar
Software deployment tools (SCCM, PDQ Deploy) installing legitimate hardware vendor drivers that happen to match path patterns

Splunk

spl

index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=6)
  OR
  (sourcetype="WinEventLog:Security" EventCode=4697)
)
| eval _driver_path=lower(coalesce(ImageLoaded, ServiceFileName, ""))
| eval _driver_name=lower(mvindex(split(_driver_path, "\\"), -1))
| eval IsSuspiciousPath=if(
    match(_driver_path, "(\\\\temp\\\\|\\\\tmp\\\\|\\\\downloads\\\\|\\\\appdata\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\|\\\\perflogs\\\\)"),
    1, 0)
| eval IsKnownVulnDriver=if(
    match(_driver_name, "(rtcore64|rtcore32|gdrv2?\.sys|asrdrv10[12]?|aswarpot|vboxdrv|dbutil_2_3|dbutildrv2|mhyprot[23]?|iqvw(64|32)e|winring0(x64)?|capcom|msio(64|32)|ms4killer|glckio2|physmem|nvflash|nicm\.sys|nscm\.sys|bs_rcio64)"),
    1, 0)
| eval IsUnsignedOrInvalid=if(
    (EventCode=6 AND (Signed="false" OR SignatureStatus!="Valid")),
    1, 0)
| eval DetectionSignal=case(
    IsKnownVulnDriver=1, "KnownVulnerableDriverLoaded",
    IsSuspiciousPath=1 AND IsUnsignedOrInvalid=1, "UnsignedDriverFromSuspiciousPath",
    IsSuspiciousPath=1, "DriverLoadedFromSuspiciousPath",
    EventCode=4697, "KernelDriverServiceInstalled",
    true(), "Other")
| where IsKnownVulnDriver=1 OR IsSuspiciousPath=1 OR (EventCode=4697 AND match(_driver_path, "\.sys$"))
| eval DriverPath=coalesce(ImageLoaded, ServiceFileName)
| eval Signed=coalesce(Signed, "N/A")
| eval SignatureStatus=coalesce(SignatureStatus, "N/A")
| eval UserAccount=coalesce(User, SubjectUserName, "N/A")
| table _time, host, UserAccount, EventCode, DetectionSignal, DriverPath,
  Signed, SignatureStatus, Hashes, IsKnownVulnDriver, IsSuspiciousPath, IsUnsignedOrInvalid
| sort - _time

critical severity medium confidence

Data Sources

Driver: Driver Load Sysmon Event ID 6 Windows Security Event ID 4697

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Virtualization software installation loading VBoxDrv.sys, vmx86.sys, or similar legitimate hypervisor drivers
Hardware vendor utilities (MSI Afterburner, ASUS ROG software, Dell BIOS Update) loading their respective signed but vulnerable drivers for legitimate purposes
Security tools and endpoint agents that use kernel drivers for behavioral monitoring (CrowdStrike csagent.sys, Carbon Black cbdaemon.sys) from their standard install paths
Kernel developers or security researchers running authorized driver testing in lab environments with test signing enabled
Enterprise software using kernel drivers deployed via SCCM/Intune that extract to temp directories as part of their installer workflow

Elastic Security (EQL)

eql

any where
(
  (
    event.dataset == "windows.sysmon_operational"
    and event.code == "6"
    and (
      file.name : ("rtcore64.sys", "rtcore32.sys", "gdrv.sys", "gdrv2.sys",
        "asrdrv10.sys", "asrdrv101.sys", "asrdrv102.sys", "aswarpot.sys",
        "vboxdrv.sys", "dbutil_2_3.sys", "dbutildrv2.sys", "mhyprot2.sys",
        "mhyprot3.sys", "iqvw64e.sys", "iqvw32e.sys", "winring0x64.sys",
        "winring0.sys", "capcom.sys", "msio64.sys", "msio32.sys",
        "ms4killer.sys", "glckio2.sys", "physmem.sys", "nvflash.sys",
        "nicm.sys", "nscm.sys", "spwizeng.sys", "bs_rcio64.sys")
      or file.path : ("*\\temp\\*", "*\\tmp\\*", "*\\downloads\\*",
        "*\\appdata\\local\\*", "*\\appdata\\roaming\\*",
        "*\\users\\public\\*", "*\\programdata\\*",
        "*\\$recycle.bin\\*", "*\\windows\\tasks\\*", "*\\perflogs\\*")
    )
  )
  or
  (
    event.code == "4697"
    and winlog.event_data.ServiceType == "0x1"
    and (
      winlog.event_data.ServiceFileName : ("*rtcore64*", "*rtcore32*",
        "*gdrv.sys*", "*gdrv2.sys*", "*asrdrv10*", "*aswarpot*",
        "*vboxdrv*", "*dbutil_2_3*", "*dbutildrv2*", "*mhyprot*",
        "*iqvw64e*", "*iqvw32e*", "*winring0*", "*capcom.sys*",
        "*msio64*", "*msio32*", "*ms4killer*", "*physmem.sys*",
        "*nvflash*", "*nicm.sys*", "*nscm.sys*", "*bs_rcio64*")
      or winlog.event_data.ServiceFileName : ("*\\temp\\*", "*\\tmp\\*",
        "*\\downloads\\*", "*\\appdata\\*", "*\\users\\public\\*",
        "*\\programdata\\*", "*\\perflogs\\*")
    )
  )
)

critical severity high confidence

Data Sources

Windows Sysmon Event ID 6 (Driver Load) via Elastic Agent Windows integration or Winlogbeat Windows Security Event ID 4697 (A service was installed in the system) via Elastic Agent or Winlogbeat

Required Tables

logs-windows.sysmon_operational-* logs-system.security-* winlogbeat-*

False Positives

Overclocking and hardware monitoring utilities (MSI Afterburner, EVGA Precision X1, ASUS GPU Tweak II) that load RTCore64.sys or RTCore32.sys for GPU MMIO register access — these are exact blocklist name matches and will fire on every host startup until allowlisted by verified Authenticode hash
VirtualBox and VMware installations writing vboxdrv.sys or vmci.sys during fresh install or version upgrades where the installer stages drivers in %TEMP% before moving them to the final driver path
ASUS Armoury Crate, Gigabyte App Center, and ASRock Polychrome Sync shipping AsrDrv10x.sys or GDrv.sys variants for fan control, LED management, and voltage monitoring on gaming and workstation endpoints

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  hostname AS Hostname,
  username AS UserAccount,
  eventid AS EventID,
  QIDNAME(qid) AS EventName,
  filename AS DriverFile,
  filepath AS DriverPath,
  CASE
    WHEN LOWER(filename) IN (
      'rtcore64.sys', 'rtcore32.sys', 'gdrv.sys', 'gdrv2.sys',
      'asrdrv10.sys', 'asrdrv101.sys', 'asrdrv102.sys', 'aswarpot.sys',
      'vboxdrv.sys', 'dbutil_2_3.sys', 'dbutildrv2.sys', 'mhyprot2.sys',
      'mhyprot3.sys', 'iqvw64e.sys', 'iqvw32e.sys', 'winring0x64.sys',
      'winring0.sys', 'capcom.sys', 'msio64.sys', 'msio32.sys',
      'ms4killer.sys', 'glckio2.sys', 'physmem.sys', 'nvflash.sys',
      'nicm.sys', 'nscm.sys', 'spwizeng.sys', 'bs_rcio64.sys'
    ) THEN 'KnownVulnerableDriverLoaded'
    WHEN LOWER(filepath) MATCHES '(?i).*\\\\(temp|tmp|downloads|appdata|users\\\\public|programdata|perflogs|\$recycle\.bin|windows\\\\tasks)\\\\.*'
      THEN 'DriverFromSuspiciousPath'
    ELSE 'KernelDriverServiceInstalled'
  END AS DetectionSignal,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN (
    'Microsoft Windows Security Event Log',
    'Microsoft Windows Sysmon'
  )
  AND (eventid = 6 OR eventid = 4697)
  AND (
    LOWER(filename) IN (
      'rtcore64.sys', 'rtcore32.sys', 'gdrv.sys', 'gdrv2.sys',
      'asrdrv10.sys', 'asrdrv101.sys', 'asrdrv102.sys', 'aswarpot.sys',
      'vboxdrv.sys', 'dbutil_2_3.sys', 'dbutildrv2.sys', 'mhyprot2.sys',
      'mhyprot3.sys', 'iqvw64e.sys', 'iqvw32e.sys', 'winring0x64.sys',
      'winring0.sys', 'capcom.sys', 'msio64.sys', 'msio32.sys',
      'ms4killer.sys', 'glckio2.sys', 'physmem.sys', 'nvflash.sys',
      'nicm.sys', 'nscm.sys', 'spwizeng.sys', 'bs_rcio64.sys'
    )
    OR LOWER(filepath) MATCHES '(?i).*\\\\(temp|tmp|downloads|appdata|users\\\\public|programdata|perflogs)\\\\.*'
  )
  AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC

critical severity high confidence

Data Sources

QRadar Microsoft Windows Security Event Log DSM (EventID 4697 — kernel driver service installation) QRadar Microsoft Windows Sysmon DSM (EventID 6 — driver load, ImageLoaded field)

Required Tables

events

False Positives

MSI Afterburner, ASUS GPU Tweak, and EVGA Precision tools loading RTCore64.sys or RTCore32.sys for GPU overclocking register access — these are exact blocklist names and produce high-volume FPs on gaming/engineering workstations until allowlisted by verified hash in QRadar's reference set
Legitimate VirtualBox installations loading VBoxDrv.sys — the QRadar Sysmon DSM must correctly map ImageLoaded to the filepath property; verify DSM mapping before tuning
Corporate endpoint management platforms (Tanium, BigFix, Ivanti Neurons) deploying kernel-mode agents that stage .sys files in %ProgramData% as part of managed agent installation workflows

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse "EventID=*" as EventID nodrop
| parse "ImageLoaded=*" as ImageLoaded nodrop
| parse "ServiceFileName=*" as ServiceFileName nodrop
| parse "ServiceType=*" as ServiceType nodrop
| parse "SubjectUserName=*" as SubjectUserName nodrop
| parse "User=*" as SysmonUser nodrop
| where EventID in ("6", "4697")
| if(EventID == "6", ImageLoaded, ServiceFileName) as DriverPath
| toLowerCase(DriverPath) as LowerDriverPath
| if(EventID == "6", SysmonUser, SubjectUserName) as UserAccount
| if(
    matches(LowerDriverPath, "(?i).*(rtcore64\.sys|rtcore32\.sys|gdrv2?\.sys|asrdrv10[012]?\.sys|aswarpot\.sys|vboxdrv\.sys|dbutil_2_3\.sys|dbutildrv2\.sys|mhyprot[23]?\.sys|iqvw(?:64|32)e\.sys|winring0(?:x64)?\.sys|capcom\.sys|msio(?:64|32)\.sys|ms4killer\.sys|glckio2\.sys|physmem\.sys|nvflash\.sys|nicm\.sys|nscm\.sys|spwizeng\.sys|bs_rcio64\.sys).*"),
    1, 0) as IsKnownVulnDriver
| if(
    matches(LowerDriverPath, "(?i).*\\\\(temp|tmp|downloads|appdata|users\\\\public|programdata|\\$recycle\.bin|windows\\\\tasks|perflogs)\\\\.*"),
    1, 0) as IsSuspiciousPath
| where IsKnownVulnDriver = 1 OR IsSuspiciousPath = 1
| if(IsKnownVulnDriver = 1, "KnownVulnerableDriverLoaded",
    if(IsSuspiciousPath = 1, "DriverFromSuspiciousPath",
    "KernelDriverServiceInstalled")) as DetectionSignal
| fields _messageTime, _sourceHost, UserAccount, EventID, DetectionSignal, DriverPath, IsKnownVulnDriver, IsSuspiciousPath
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Windows Sysmon source category — Event 6 (Driver Load) with ImageLoaded field Sumo Logic Windows Security Event Log source category — Event 4697 (Service Installed) with ServiceFileName and ServiceType fields

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

GPU overclocking utilities (MSI Afterburner, EVGA Precision X1, ASUS GPU Tweak II) loading RTCore64.sys or RTCore32.sys for hardware register access — these are among the most common false positives and should be suppressed via allowlist lookup table keyed on SHA256 hash, not driver name
VirtualBox desktop virtualization loading VBoxDrv.sys from %TEMP% staging directories during fresh installs or version upgrades on developer workstations
Gigabyte App Center, ASRock Polychrome Sync, and ASUS Armoury Crate shipping AsrDrv10x.sys or GDrv.sys variants for LED, fan control, and voltage monitoring — common on gaming endpoints in BYOD environments

Google Chronicle / SecOps

yaral

rule T1068_BYOVD_KernelDriverPrivEsc {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects BYOVD (Bring Your Own Vulnerable Driver) technique and exploitation for privilege escalation (T1068). Monitors DRIVER_LOAD events for known-vulnerable driver names from the public LOLDRIVERS blocklist and for .sys files staged in suspicious user-writable paths used to bypass Driver Signature Enforcement."
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1068"
    reference = "https://attack.mitre.org/techniques/T1068/"
    version = "1.0"

  events:
    $e.metadata.event_type = "DRIVER_LOAD"
    $e.principal.hostname = $hostname
    (
      // Signal 1: Known vulnerable driver name (BYOVD blocklist)
      re.regex($e.target.file.full_path,
        `(?i)(rtcore64\.sys|rtcore32\.sys|gdrv2?\.sys|asrdrv10[012]?\.sys|aswarpot\.sys|vboxdrv\.sys|dbutil_2_3\.sys|dbutildrv2\.sys|mhyprot[23]?\.sys|iqvw(?:64|32)e\.sys|winring0(?:x64)?\.sys|capcom\.sys|msio(?:64|32)\.sys|ms4killer\.sys|glckio2\.sys|physmem\.sys|nvflash\.sys|nicm\.sys|nscm\.sys|spwizeng\.sys|bs_rcio64\.sys)`)
      or
      // Signal 2: Driver loaded from suspicious user-writable staging path
      re.regex($e.target.file.full_path,
        `(?i)\\(?:temp|tmp|downloads|appdata\\(?:local|roaming)|users\\public|programdata|\$recycle\.bin|windows\\tasks|perflogs)\\`)
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle with Windows Sysmon log ingestion (DRIVER_LOAD UDM events from Sysmon EventID 6) WINDOWS_SYSMON Chronicle log type mapping target.file.full_path from ImageLoaded field

Required Tables

UDM events with metadata.event_type = DRIVER_LOAD WINDOWS_SYSMON Chronicle log type

False Positives

Legitimate hardware vendor utilities (ASUS Armoury Crate, Gigabyte App Center, MSI Dragon Center) loading GDrv.sys, AsrDrv10x.sys, or RTCore64.sys from standard %ProgramData% installation paths for fan, LED, and voltage hardware access
Gaming anti-cheat kernel drivers (Vanguard, EasyAntiCheat, BattlEye kernel module) where some vendors historically reused driver names present in BYOVD blocklists — verify Authenticode certificate against the allowlist before suppressing
Oracle VirtualBox loading VBoxDrv.sys from %TEMP% staging path during installer execution on developer workstations before final placement in C:\Program Files\Oracle\VirtualBox

CrowdStrike LogScale (CQL)

cql

// T1068 BYOVD — Known Vulnerable Driver Load and Suspicious Staging Path
#event_simpleName = DriverLoad
| lowerDriver := lower(ImageFileName)
| regex("rtcore64\.sys|rtcore32\.sys|gdrv2?\.sys|asrdrv10[012]?\.sys|aswarpot\.sys|vboxdrv\.sys|dbutil_2_3\.sys|dbutildrv2\.sys|mhyprot[23]?\.sys|iqvw(?:64|32)e\.sys|winring0(?:x64)?\.sys|capcom\.sys|msio(?:64|32)\.sys|ms4killer\.sys|glckio2\.sys|physmem\.sys|nvflash\.sys|nicm\.sys|nscm\.sys|spwizeng\.sys|bs_rcio64\.sys",
  field=lowerDriver, as=IsKnownVulnDriver)
| regex("\\\\(?:temp|tmp|downloads|appdata|users\\\\public|programdata|perflogs|\\$recycle\.bin|windows\\\\tasks)\\\\",
  field=lowerDriver, as=IsSuspiciousPath)
| IsKnownVulnDriver = true OR IsSuspiciousPath = true
| DetectionSignal := if(IsKnownVulnDriver = true,
    "KnownVulnerableDriverLoaded",
    "DriverFromSuspiciousPath")
| table(
    [timestamp, ComputerName, UserName, DetectionSignal,
     ImageFileName, SHA256HashData, IsKnownVulnDriver, IsSuspiciousPath])
| sort(timestamp, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR sensor — DriverLoad event (#event_simpleName=DriverLoad) Key fields: ImageFileName (full driver path), SHA256HashData, ComputerName, UserName

Required Tables

DriverLoad events from CrowdStrike Falcon sensor telemetry (Falcon Data Replicator or Event Search)

False Positives

MSI Afterburner and EVGA Precision X1 loading RTCore64.sys or RTCore32.sys for GPU overclocking MMIO register access — highest-volume false positive class; allowlist in Falcon policy by Authenticode certificate (Micro-Star International) rather than by name to avoid hash-chasing after vendor updates
Oracle VirtualBox loading VBoxDrv.sys — allowlist by Oracle's Authenticode signing certificate in Falcon's driver policy rather than by path, since the driver may appear in %TEMP% during upgrade workflows
ASUS ROG Armoury Crate loading AsrDrv10x.sys or GDrv.sys on gaming workstations — in enterprise environments this software is rarely business-justified and should still trigger investigation even if suppressed for specific verified hashes

Last updated: 2026-04-17 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1068 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exploitation for Privilege Escalation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Privilege Escalation

Popular Detections