ProcessHacker Privilege Elevation
Detects a ProcessHacker tool that elevated privileges to a very high level
Sigma rule (View on GitHub)
1title: ProcessHacker Privilege Elevation
2id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
3status: test
4description: Detects a ProcessHacker tool that elevated privileges to a very high level
5references:
6 - https://twitter.com/1kwpeter/status/1397816101455765504
7author: Florian Roth (Nextron Systems)
8date: 2021-05-27
9modified: 2022-12-25
10tags:
11 - attack.execution
12 - attack.privilege-escalation
13 - attack.t1543.003
14 - attack.t1569.002
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 Provider_Name: 'Service Control Manager'
21 EventID: 7045
22 ServiceName|startswith: 'ProcessHacker'
23 AccountName: 'LocalSystem'
24 condition: selection
25falsepositives:
26 - Unlikely
27level: high
References
Related rules
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Potential CobaltStrike Service Installations - Registry
- Sliver C2 Default Service Installation
- PSEXEC Remote Execution File Artefact