Suspicious RazerInstaller Explorer Subprocess
Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
Sigma rule (View on GitHub)
1title: Suspicious RazerInstaller Explorer Subprocess
2id: a4eaf250-7dc1-4842-862a-5e71cd59a167
3status: test
4description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
5references:
6 - https://twitter.com/j0nh4t/status/1429049506021138437
7 - https://streamable.com/q2dsji
8author: Florian Roth (Nextron Systems), Maxime Thiebaut
9date: 2021-08-23
10modified: 2022-10-09
11tags:
12 - attack.privilege-escalation
13 - attack.t1553
14 - detection.emerging-threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\RazerInstaller.exe'
21 IntegrityLevel: 'System'
22 filter:
23 Image|startswith: 'C:\Windows\Installer\Razer\Installer\'
24 condition: selection and not filter
25falsepositives:
26 - User selecting a different installation folder (check for other sub processes of this explorer.exe process)
27level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- CVE-2022-24527 Microsoft Connected Cache LPE
- Exploiting CVE-2019-1388
- Exploiting SetupComplete.cmd CVE-2019-1378
- Malware Shellcode in Verclsid Target Process