ProcessHacker Privilege Elevation
Detects a ProcessHacker tool that elevated privileges to a very high level
Sigma rule (View on GitHub)
1title: ProcessHacker Privilege Elevation
2id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
3status: test
4description: Detects a ProcessHacker tool that elevated privileges to a very high level
5references:
6 - https://twitter.com/1kwpeter/status/1397816101455765504
7author: Florian Roth (Nextron Systems)
8date: 2021-05-27
9modified: 2022-12-25
10tags:
11 - attack.persistence
12 - attack.execution
13 - attack.privilege-escalation
14 - attack.t1543.003
15 - attack.t1569.002
16logsource:
17 product: windows
18 service: system
19detection:
20 selection:
21 Provider_Name: 'Service Control Manager'
22 EventID: 7045
23 ServiceName|startswith: 'ProcessHacker'
24 AccountName: 'LocalSystem'
25 condition: selection
26falsepositives:
27 - Unlikely
28level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- CosmicDuke Service Installation
- Potential CobaltStrike Service Installations - Registry
- Remote Access Tool Services Have Been Installed - Security