PUA - Process Hacker Driver Load
Detects driver load of the Process Hacker tool
Sigma rule (View on GitHub)
1title: PUA - Process Hacker Driver Load
2id: 67add051-9ee7-4ad3-93ba-42935615ae8d
3related:
4 - id: 10cb6535-b31d-4512-9962-513dcbc42cc1
5 type: similar
6status: test
7description: Detects driver load of the Process Hacker tool
8references:
9 - https://processhacker.sourceforge.io/
10author: Florian Roth (Nextron Systems)
11date: 2022-11-16
12modified: 2024-11-23
13tags:
14 - attack.privilege-escalation
15 - cve.2021-21551
16 - attack.t1543
17logsource:
18 category: driver_load
19 product: windows
20detection:
21 selection:
22 - ImageLoaded|endswith: '\kprocesshacker.sys'
23 - Hashes|contains:
24 - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
25 - 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
26 - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
27 - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
28 condition: selection
29falsepositives:
30 - Legitimate use of process hacker or system informer by developers or system administrators
31level: high
References
-
Process Hacker, A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
Read More
Related rules
- PUA - Process Hacker Execution
- PUA - System Informer Driver Load
- PUA - System Informer Execution
- CodeIntegrity - Blocked Driver Load With Revoked Certificate
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation