PUA - Process Hacker Driver Load

Detects driver load of the Process Hacker tool

Sigma rule (View on GitHub)

 1title: PUA - Process Hacker Driver Load
 2id: 67add051-9ee7-4ad3-93ba-42935615ae8d
 3related:
 4    - id: 10cb6535-b31d-4512-9962-513dcbc42cc1
 5      type: similar
 6status: test
 7description: Detects driver load of the Process Hacker tool
 8references:
 9    - https://processhacker.sourceforge.io/
10author: Florian Roth (Nextron Systems)
11date: 2022-11-16
12modified: 2023-05-08
13tags:
14    - attack.privilege-escalation
15    - cve.2021-21551
16    - attack.t1543
17logsource:
18    category: driver_load
19    product: windows
20detection:
21    selection_image:
22        ImageLoaded|endswith: '\kprocesshacker.sys'
23    selection_processhack_sysmon:
24        Hashes|contains:
25            - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
26            - 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
27            - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
28            - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
29    selection_processhack_hashes:
30        Imphash:
31            - '821D74031D3F625BCBD0DF08B70F1E77'
32            - 'F86759BB4DE4320918615DC06E998A39'
33            - '0A64EEB85419257D0CE32BD5D55C3A18'
34            - '6E7B34DFC017700B1517B230DF6FF0D0'
35    condition: 1 of selection_*
36falsepositives:
37    - Legitimate use of process hacker or system informer by developers or system administrators
38level: high

References

Related rules

to-top