Suspicious RazerInstaller Explorer Subprocess

Jun 20, 2023 · attack.privilege_escalation attack.t1553 detection.emerging_threats ·

Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM

Sigma rule (View on GitHub)

 1title: Suspicious RazerInstaller Explorer Subprocess
 2id: a4eaf250-7dc1-4842-862a-5e71cd59a167
 3status: test
 4description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
 5references:
 6    - https://twitter.com/j0nh4t/status/1429049506021138437
 7    - https://streamable.com/q2dsji
 8author: Florian Roth (Nextron Systems), Maxime Thiebaut
 9date: 2021/08/23
10modified: 2022/10/09
11tags:
12    - attack.privilege_escalation
13    - attack.t1553
14    - detection.emerging_threats
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        ParentImage|endswith: '\RazerInstaller.exe'
21        IntegrityLevel: 'System'
22    filter:
23        Image|startswith: 'C:\Windows\Installer\Razer\Installer\'
24    condition: selection and not filter
25falsepositives:
26    - User selecting a different installation folder (check for other sub processes of this explorer.exe process)
27level: high

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More
https://streamable.com/q2dsji

Read More

Suspicious RazerInstaller Explorer Subprocess

Sigma rule (View on GitHub)

References

https://streamable.com/q2dsji

Related rules