Process Explorer Driver Creation By Non-Sysinternals Binary

calendar Mar 1, 2024 · attack.persistence attack.privilege_escalation attack.t1068  ·
Share on: linkedin copy

Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.

Sigma rule (View on GitHub)

 1title: Process Explorer Driver Creation By Non-Sysinternals Binary
 2id: de46c52b-0bf8-4936-a327-aace94f94ac6
 3status: test
 4description: |
 5    Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
 6    Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.    
 7references:
 8    - https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
 9    - https://github.com/Yaxser/Backstab
10    - https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
11    - https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
12author: Florian Roth (Nextron Systems)
13date: 2023/05/05
14tags:
15    - attack.persistence
16    - attack.privilege_escalation
17    - attack.t1068
18logsource:
19    product: windows
20    category: file_event
21detection:
22    selection:
23        TargetFilename|contains: '\PROCEXP'
24        TargetFilename|endswith: '.sys'
25    filter_main_process_explorer:
26        Image|endswith:
27            - '\procexp.exe'
28            - '\procexp64.exe'
29    condition: selection and not 1 of filter_main_*
30falsepositives:
31    - Some false positives may occur with legitimate renamed process explorer binaries
32level: high

References

Related rules

to-top