Process Monitor Driver Creation By Non-Sysinternals Binary
Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
Sigma rule (View on GitHub)
1title: Process Monitor Driver Creation By Non-Sysinternals Binary
2id: a05baa88-e922-4001-bc4d-8738135f27de
3status: test
4description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-05
9tags:
10 - attack.persistence
11 - attack.privilege-escalation
12 - attack.t1068
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename|contains: '\procmon'
19 TargetFilename|endswith: '.sys'
20 filter_main_process_explorer:
21 Image|endswith:
22 - '\procmon.exe'
23 - '\procmon64.exe'
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - Some false positives may occur with legitimate renamed process monitor binaries
27level: medium
References
Related rules
- Process Explorer Driver Creation By Non-Sysinternals Binary
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address