Suspicious RazerInstaller Explorer Subprocess
Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
Sigma rule (View on GitHub)
1title: Suspicious RazerInstaller Explorer Subprocess
2id: a4eaf250-7dc1-4842-862a-5e71cd59a167
3status: test
4description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
5references:
6 - https://twitter.com/j0nh4t/status/1429049506021138437
7 - https://streamable.com/q2dsji
8author: Florian Roth (Nextron Systems), Maxime Thiebaut
9date: 2021-08-23
10modified: 2024-12-01
11tags:
12 - attack.privilege-escalation
13 - attack.t1553
14 - detection.emerging-threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\RazerInstaller.exe'
21 IntegrityLevel:
22 - 'System'
23 - 'S-1-16-16384' # System
24 filter_main_razer:
25 Image|startswith: 'C:\Windows\Installer\Razer\Installer\'
26 condition: selection and not 1 of filter_main_*
27falsepositives:
28 - User selecting a different installation folder (check for other sub processes of this explorer.exe process)
29level: high
References
Related rules
- Exploiting CVE-2019-1388
- Potential CVE-2021-41379 Exploitation Attempt
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
- Diamond Sleet APT Scheduled Task Creation