sigmaDRL-1.1from SigmaHQ/sigma
Process Explorer Driver Creation By Non-Sysinternals Binary
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
Quality
88
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml
title: Process Explorer Driver Creation By Non-Sysinternals Binary
id: de46c52b-0bf8-4936-a327-aace94f94ac6
status: test
description: |
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
- https://github.com/Yaxser/Backstab
- https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
- https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
author: Florian Roth (Nextron Systems)
date: 2023-05-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1068
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\PROCEXP'
TargetFilename|endswith: '.sys'
filter_main_process_explorer:
Image|endswith:
- '\procexp.exe'
- '\procexp64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some false positives may occur with legitimate renamed process explorer binaries
level: high