T1068 Elastic Security · Elastic

Detect Exploitation for Privilege Escalation in Elastic Security

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. A key sub-technique is Bring Your Own Vulnerable Driver (BYOVD), where adversaries drop a legitimately signed but vulnerable kernel driver onto a compromised machine and then exploit it to execute code in kernel mode, bypassing Driver Signature Enforcement. Real-world examples include Embargo ransomware using MS4Killer, ZeroCleare using VBoxDrv.sys, APT29 exploiting CVE-2021-36934, and Turla exploiting VBoxDrv.sys vulnerabilities.

MITRE ATT&CK

Tactic
Privilege Escalation
Technique
T1068 Exploitation for Privilege Escalation
Canonical reference
https://attack.mitre.org/techniques/T1068/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
(
  (
    event.dataset == "windows.sysmon_operational"
    and event.code == "6"
    and (
      file.name : ("rtcore64.sys", "rtcore32.sys", "gdrv.sys", "gdrv2.sys",
        "asrdrv10.sys", "asrdrv101.sys", "asrdrv102.sys", "aswarpot.sys",
        "vboxdrv.sys", "dbutil_2_3.sys", "dbutildrv2.sys", "mhyprot2.sys",
        "mhyprot3.sys", "iqvw64e.sys", "iqvw32e.sys", "winring0x64.sys",
        "winring0.sys", "capcom.sys", "msio64.sys", "msio32.sys",
        "ms4killer.sys", "glckio2.sys", "physmem.sys", "nvflash.sys",
        "nicm.sys", "nscm.sys", "spwizeng.sys", "bs_rcio64.sys")
      or file.path : ("*\\temp\\*", "*\\tmp\\*", "*\\downloads\\*",
        "*\\appdata\\local\\*", "*\\appdata\\roaming\\*",
        "*\\users\\public\\*", "*\\programdata\\*",
        "*\\$recycle.bin\\*", "*\\windows\\tasks\\*", "*\\perflogs\\*")
    )
  )
  or
  (
    event.code == "4697"
    and winlog.event_data.ServiceType == "0x1"
    and (
      winlog.event_data.ServiceFileName : ("*rtcore64*", "*rtcore32*",
        "*gdrv.sys*", "*gdrv2.sys*", "*asrdrv10*", "*aswarpot*",
        "*vboxdrv*", "*dbutil_2_3*", "*dbutildrv2*", "*mhyprot*",
        "*iqvw64e*", "*iqvw32e*", "*winring0*", "*capcom.sys*",
        "*msio64*", "*msio32*", "*ms4killer*", "*physmem.sys*",
        "*nvflash*", "*nicm.sys*", "*nscm.sys*", "*bs_rcio64*")
      or winlog.event_data.ServiceFileName : ("*\\temp\\*", "*\\tmp\\*",
        "*\\downloads\\*", "*\\appdata\\*", "*\\users\\public\\*",
        "*\\programdata\\*", "*\\perflogs\\*")
    )
  )
)
critical severity high confidence

Detects BYOVD (Bring Your Own Vulnerable Driver) kernel driver abuse and exploitation for privilege escalation (T1068). Signal 1 monitors Sysmon Event 6 (Driver Load) via ECS-normalized file.name and file.path for 28 known-vulnerable driver filenames and suspicious user-writable staging paths. Signal 2 monitors Windows Security Event 4697 (Service Installation) for kernel-type service registrations (ServiceType=0x1) pointing to blocklisted driver names or suspicious paths. Covers Embargo's MS4Killer, APT29's CVE-2021-36934 tooling, ZeroCleare's VBoxDrv.sys abuse, and Turla variants.

Data Sources

Windows Sysmon Event ID 6 (Driver Load) via Elastic Agent Windows integration or WinlogbeatWindows Security Event ID 4697 (A service was installed in the system) via Elastic Agent or Winlogbeat

Required Tables

logs-windows.sysmon_operational-*logs-system.security-*winlogbeat-*

False Positives & Tuning

  • Overclocking and hardware monitoring utilities (MSI Afterburner, EVGA Precision X1, ASUS GPU Tweak II) that load RTCore64.sys or RTCore32.sys for GPU MMIO register access — these are exact blocklist name matches and will fire on every host startup until allowlisted by verified Authenticode hash
  • VirtualBox and VMware installations writing vboxdrv.sys or vmci.sys during fresh install or version upgrades where the installer stages drivers in %TEMP% before moving them to the final driver path
  • ASUS Armoury Crate, Gigabyte App Center, and ASRock Polychrome Sync shipping AsrDrv10x.sys or GDrv.sys variants for fan control, LED management, and voltage monitoring on gaming and workstation endpoints
Download portable Sigma rule (.yml)

Other platforms for T1068

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1BYOVD — Drop and Register Known Vulnerable Driver (RTCore64.sys Simulation)

    Expected signal: Windows Security Event ID 4697 (New Service Installed): ServiceName=RTCore64, ServiceFileName=C:\Windows\Temp\RTCore64.sys, ServiceType=0x1 (Kernel Driver). Sysmon Event ID 1 (Process Create): Image=sc.exe, CommandLine containing 'create RTCore64 type= kernel'. DeviceRegistryEvents: RegistryKey containing \Services\RTCore64, RegistryValueName=ImagePath, RegistryValueData=C:\Windows\Temp\RTCore64.sys.

  2. Test 2Suspicious Driver Load Path — Copy System Driver to Temp and Reload

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=C:\Users\Public\null_test.sys. Security Event ID 4697: ServiceFileName=C:\Users\Public\null_test.sys, ServiceType=0x1. DeviceRegistryEvents: RegistryKey containing \Services\TestPathDriver, ImagePath=C:\Users\Public\null_test.sys.

  3. Test 3SeLoadDriverPrivilege Assignment via sc.exe (Privilege Telemetry)

    Expected signal: Security Event ID 4697: ServiceName=FakePrivTest, ServiceType=0x1. Security Event ID 4672: PrivilegeList containing SeLoadDriverPrivilege assigned to the calling session's SubjectLogonId. System Event ID 7045 (New Service Installed) in System event log. sc.exe Process Create in Sysmon Event ID 1.

  4. Test 4Linux Kernel Module Load from Non-Standard Path (Container/Linux)

    Expected signal: Auditd SYSCALL record with syscall=finit_module or init_module, uid/euid of calling process. Syslog/kern.log message: 'df00tech_test: disagrees about version of symbol module_layout' or 'insmod: ERROR: could not insert module'. Auditd WATCH record for file access to /tmp/df00tech_test.ko. /var/log/audit/audit.log entries with key=t1068_test.

  5. Test 5BYOVD — Enumerate Loaded Drivers for Vulnerable Candidates

    Expected signal: Sysmon Event ID 1 (Process Create): driverquery.exe, sc.exe, powershell.exe executions with respective command lines. Security Event ID 4688 (if command-line auditing enabled) for same processes. WMI Activity log entries for Win32_SystemDriver query in Microsoft-Windows-WMI-Activity/Operational.

Last updated: 2026-04-17 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1068 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1543.003Windows ServiceT1105Ingress Tool TransferT1570Lateral Tool TransferT1562.001Disable or Modify ToolsT1003.001LSASS MemoryT1055Process InjectionT1014RootkitT1548.002Bypass User Account ControlT1078Valid Accounts

Same Tactic: Privilege Escalation

Popular Detections