Detect Exploitation for Privilege Escalation in Microsoft Sentinel
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. A key sub-technique is Bring Your Own Vulnerable Driver (BYOVD), where adversaries drop a legitimately signed but vulnerable kernel driver onto a compromised machine and then exploit it to execute code in kernel mode, bypassing Driver Signature Enforcement. Real-world examples include Embargo ransomware using MS4Killer, ZeroCleare using VBoxDrv.sys, APT29 exploiting CVE-2021-36934, and Turla exploiting VBoxDrv.sys vulnerabilities.
MITRE ATT&CK
- Tactic
- Privilege Escalation
- Canonical reference
- https://attack.mitre.org/techniques/T1068/
KQL Detection Query
let SuspiciousDriverPaths = dynamic([
"\\temp\\", "\\tmp\\", "\\downloads\\", "\\appdata\\local\\",
"\\appdata\\roaming\\", "\\users\\public\\", "\\programdata\\",
"\\$recycle.bin\\", "\\windows\\tasks\\", "\\perflogs\\"
]);
let KnownVulnerableDriverNames = dynamic([
"rtcore64.sys", "rtcore32.sys", "gdrv.sys", "gdrv2.sys",
"asrdrv10.sys", "asrdrv101.sys", "asrdrv102.sys",
"aswarpot.sys", "vboxdrv.sys",
"dbutil_2_3.sys", "dbutildrv2.sys",
"mhyprot2.sys", "mhyprot3.sys",
"iqvw64e.sys", "iqvw32e.sys",
"winring0x64.sys", "winring0.sys",
"capcom.sys", "msio64.sys", "msio32.sys",
"ms4killer.sys", "glckio2.sys",
"physmem.sys", "nvflash.sys",
"nicm.sys", "nscm.sys",
"spwizeng.sys", "bs_rcio64.sys"
]);
// Signal 1: Known vulnerable driver loaded (BYOVD)
let BYOVDDriverLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where tolower(FileName) in (KnownVulnerableDriverNames)
| extend DetectionSignal = "KnownVulnerableDriverLoaded"
| project Timestamp, DeviceName, AccountName, DetectionSignal,
DriverFile=FileName, DriverPath=FolderPath,
SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName;
// Signal 2: Driver (.sys) loaded from user-writable or suspicious path
let SuspiciousPathDriverLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName endswith ".sys"
| where tolower(FolderPath) has_any (SuspiciousDriverPaths)
| extend DetectionSignal = "DriverLoadedFromSuspiciousPath"
| project Timestamp, DeviceName, AccountName, DetectionSignal,
DriverFile=FileName, DriverPath=FolderPath,
SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName;
// Signal 3: New driver service registered pointing to suspicious path (pre-load step)
let SuspiciousDriverService = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\SYSTEM\\CurrentControlSet\\Services\\"
| where RegistryValueName == "ImagePath"
| where tolower(RegistryValueData) endswith ".sys"
| where tolower(RegistryValueData) has_any (SuspiciousDriverPaths)
or tolower(RegistryValueData) has_any (KnownVulnerableDriverNames)
| extend DetectionSignal = "SuspiciousDriverServiceRegistered"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
DetectionSignal, DriverFile=tostring(split(RegistryValueData, "\\")[-1]),
DriverPath=RegistryValueData, SHA256="",
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName;
// Signal 4: Security Event 4697 — new kernel driver service installed
let NewDriverServiceInstalled = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4697
| where ServiceType == "0x1" // Kernel driver
| where tolower(ServiceFileName) has_any (SuspiciousDriverPaths)
or tolower(ServiceFileName) has_any (KnownVulnerableDriverNames)
| extend DetectionSignal = "KernelDriverServiceInstalled_4697"
| project Timestamp=TimeGenerated, DeviceName=Computer,
AccountName=SubjectUserName, DetectionSignal,
DriverFile=ServiceName, DriverPath=ServiceFileName, SHA256="",
InitiatingProcessFileName="", InitiatingProcessCommandLine="",
InitiatingProcessAccountName=SubjectUserName;
// Union all signals
BYOVDDriverLoad
| union SuspiciousPathDriverLoad
| union SuspiciousDriverService
| union NewDriverServiceInstalled
| sort by Timestamp descMulti-signal detection for T1068 Exploitation for Privilege Escalation, focused on the Bring Your Own Vulnerable Driver (BYOVD) sub-pattern. Covers four detection signals: (1) known vulnerable drivers loaded by name (RTCore64, DBUtil_2_3, MHyprot2, WinRing0, Capcom, etc. sourced from the LOLDrivers project), (2) any .sys driver loaded from user-writable or suspicious filesystem paths, (3) registry service key creation pointing to a .sys in a suspicious path (the pre-load registration step), and (4) Security Event 4697 (new kernel driver service installed) for drivers matching suspicious paths or known vulnerable names. Uses DeviceImageLoadEvents, DeviceRegistryEvents, and SecurityEvent tables.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate use of virtualization software (VMware, VirtualBox) loading VBoxDrv.sys or vmware*.sys during installation or normal operation
- Security research or penetration testing tools that use signed vulnerable drivers in controlled environments
- Overclocking or hardware monitoring utilities (MSI Afterburner loading RTCore64.sys, ASUS GPU Tweak loading AsrDrv) on gaming or engineering workstations
- Dell BIOS update utilities legitimately loading dbutil_2_3.sys or dbutildrv2.sys as part of authorized firmware updates
- Kernel debugging sessions by authorized developers loading unsigned or test-signed drivers via WinDbg or similar
- Software deployment tools (SCCM, PDQ Deploy) installing legitimate hardware vendor drivers that happen to match path patterns
Other platforms for T1068
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1BYOVD — Drop and Register Known Vulnerable Driver (RTCore64.sys Simulation)
Expected signal: Windows Security Event ID 4697 (New Service Installed): ServiceName=RTCore64, ServiceFileName=C:\Windows\Temp\RTCore64.sys, ServiceType=0x1 (Kernel Driver). Sysmon Event ID 1 (Process Create): Image=sc.exe, CommandLine containing 'create RTCore64 type= kernel'. DeviceRegistryEvents: RegistryKey containing \Services\RTCore64, RegistryValueName=ImagePath, RegistryValueData=C:\Windows\Temp\RTCore64.sys.
- Test 2Suspicious Driver Load Path — Copy System Driver to Temp and Reload
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=C:\Users\Public\null_test.sys. Security Event ID 4697: ServiceFileName=C:\Users\Public\null_test.sys, ServiceType=0x1. DeviceRegistryEvents: RegistryKey containing \Services\TestPathDriver, ImagePath=C:\Users\Public\null_test.sys.
- Test 3SeLoadDriverPrivilege Assignment via sc.exe (Privilege Telemetry)
Expected signal: Security Event ID 4697: ServiceName=FakePrivTest, ServiceType=0x1. Security Event ID 4672: PrivilegeList containing SeLoadDriverPrivilege assigned to the calling session's SubjectLogonId. System Event ID 7045 (New Service Installed) in System event log. sc.exe Process Create in Sysmon Event ID 1.
- Test 4Linux Kernel Module Load from Non-Standard Path (Container/Linux)
Expected signal: Auditd SYSCALL record with syscall=finit_module or init_module, uid/euid of calling process. Syslog/kern.log message: 'df00tech_test: disagrees about version of symbol module_layout' or 'insmod: ERROR: could not insert module'. Auditd WATCH record for file access to /tmp/df00tech_test.ko. /var/log/audit/audit.log entries with key=t1068_test.
- Test 5BYOVD — Enumerate Loaded Drivers for Vulnerable Candidates
Expected signal: Sysmon Event ID 1 (Process Create): driverquery.exe, sc.exe, powershell.exe executions with respective command lines. Security Event ID 4688 (if command-line auditing enabled) for same processes. WMI Activity log entries for Win32_SystemDriver query in Microsoft-Windows-WMI-Activity/Operational.
References (12)
- https://attack.mitre.org/techniques/T1068/
- https://www.loldrivers.io/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
- https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- https://unit42.paloaltonetworks.com/acidbox-rare-malware/
- https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rockyou2024-data-leak-ms4killer/
- https://github.com/wavestone-cdt/EDRSandblast
- https://github.com/Idov31/Nidhogg
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceimageloadevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1068/T1068.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load
Unlock Pro Content
Get the full detection package for T1068 including response playbook, investigation guide, and atomic red team tests.