PUA - Process Hacker Driver Load
Detects driver load of the Process Hacker tool
Sigma rule (View on GitHub)
1title: PUA - Process Hacker Driver Load
2id: 67add051-9ee7-4ad3-93ba-42935615ae8d
3related:
4 - id: 10cb6535-b31d-4512-9962-513dcbc42cc1
5 type: similar
6status: test
7description: Detects driver load of the Process Hacker tool
8references:
9 - https://processhacker.sourceforge.io/
10author: Florian Roth (Nextron Systems)
11date: 2022-11-16
12modified: 2023-05-08
13tags:
14 - attack.privilege-escalation
15 - cve.2021-21551
16 - attack.t1543
17logsource:
18 category: driver_load
19 product: windows
20detection:
21 selection_image:
22 ImageLoaded|endswith: '\kprocesshacker.sys'
23 selection_processhack_sysmon:
24 Hashes|contains:
25 - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
26 - 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
27 - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
28 - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
29 selection_processhack_hashes:
30 Imphash:
31 - '821D74031D3F625BCBD0DF08B70F1E77'
32 - 'F86759BB4DE4320918615DC06E998A39'
33 - '0A64EEB85419257D0CE32BD5D55C3A18'
34 - '6E7B34DFC017700B1517B230DF6FF0D0'
35 condition: 1 of selection_*
36falsepositives:
37 - Legitimate use of process hacker or system informer by developers or system administrators
38level: high
References
Related rules
- CodeIntegrity - Blocked Driver Load With Revoked Certificate
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- KrbRelayUp Service Installation
- PUA - Process Hacker Execution
- PUA - System Informer Driver Load