PUA - Process Hacker Driver Load
Detects driver load of the Process Hacker tool
Sigma rule (View on GitHub)
1title: PUA - Process Hacker Driver Load
2id: 67add051-9ee7-4ad3-93ba-42935615ae8d
3related:
4 - id: 10cb6535-b31d-4512-9962-513dcbc42cc1
5 type: similar
6status: test
7description: Detects driver load of the Process Hacker tool
8references:
9 - https://processhacker.sourceforge.io/
10author: Florian Roth (Nextron Systems)
11date: 2022-11-16
12modified: 2024-11-23
13tags:
14 - attack.persistence
15 - attack.privilege-escalation
16 - cve.2021-21551
17 - attack.t1543
18logsource:
19 category: driver_load
20 product: windows
21detection:
22 selection:
23 - ImageLoaded|endswith: '\kprocesshacker.sys'
24 - Hashes|contains:
25 - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
26 - 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
27 - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
28 - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
29 condition: selection
30falsepositives:
31 - Legitimate use of process hacker or system informer by developers or system administrators
32level: high
References
-
System Informer, A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
Read More
Related rules
- CodeIntegrity - Blocked Driver Load With Revoked Certificate
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- KrbRelayUp Service Installation
- PUA - System Informer Driver Load
- Service Installed By Unusual Client - Security