Suspicious RazerInstaller Explorer Subprocess
Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
Sigma rule (View on GitHub)
1title: Suspicious RazerInstaller Explorer Subprocess
2id: a4eaf250-7dc1-4842-862a-5e71cd59a167
3status: test
4description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
5references:
6 - https://twitter.com/j0nh4t/status/1429049506021138437
7 - https://streamable.com/q2dsji
8author: Florian Roth (Nextron Systems), Maxime Thiebaut
9date: 2021-08-23
10modified: 2024-12-01
11tags:
12 - attack.defense-evasion
13 - attack.privilege-escalation
14 - attack.t1553
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 ParentImage|endswith: '\RazerInstaller.exe'
22 IntegrityLevel:
23 - 'System'
24 - 'S-1-16-16384' # System
25 filter_main_razer:
26 Image|startswith: 'C:\Windows\Installer\Razer\Installer\'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - User selecting a different installation folder (check for other sub processes of this explorer.exe process)
30level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- APT27 - Emissary Panda Activity
- Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
- Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
- DLL Names Used By SVR For GraphicalProton Backdoor
- Diamond Sleet APT DLL Sideloading Indicators