HackTool - PCHunter Execution

Aug 12, 2024 · attack.execution attack.discovery attack.t1082 attack.t1057 attack.t1012 attack.t1083 attack.t1007 ·

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

Sigma rule (View on GitHub)

 1title: HackTool - PCHunter Execution
 2id: fca949cc-79ca-446e-8064-01aa7e52ece5
 3status: test
 4description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
 5references:
 6    - https://web.archive.org/web/20231210115125/http://www.xuetr.com/
 7    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
 8    - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
 9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
10date: 2022-10-10
11modified: 2023-02-13
12tags:
13    - attack.execution
14    - attack.discovery
15    - attack.t1082
16    - attack.t1057
17    - attack.t1012
18    - attack.t1083
19    - attack.t1007
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_image:
25        Image|endswith:
26            - '\PCHunter64.exe'
27            - '\PCHunter32.exe'
28    selection_pe:
29        - OriginalFileName: 'PCHunter.exe'
30        - Description: 'Epoolsoft Windows Information View Tools'
31    selection_hashes:
32        Hashes|contains:
33            - 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'
34            - 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'
35            - 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'
36            - 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF'
37            - 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB'
38            - 'MD5=228DD0C2E6287547E26FFBD973A40F14'
39            - 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C'
40            - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663'
41    selection_hash_values:
42        - md5:
43              - '228dd0c2e6287547e26ffbd973a40f14'
44              - '987b65cd9b9f4e9a1afd8f8b48cf64a7'
45        - sha1:
46              - '5f1cbc3d99558307bc1250d084fa968521482025'
47              - '3fb89787cb97d902780da080545584d97fb1c2eb'
48        - sha256:
49              - '2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32'
50              - '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c'
51        - Imphash:
52              - '444d210cea1ff8112f256a4997eed7ff'
53              - '0479f44df47cfa2ef1ccc4416a538663'
54    condition: 1 of selection_*
55falsepositives:
56    - Unlikely
57level: high

References

Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the ...

Read More
Threat Hunting Report Finds Increase in eCrime | CrowdStrike

The Falcon OverWatch report is filled with compelling stories that provide insight into the threat landscape and adversary tactics used during the first half of 2019.

Read More
Kernel hacking tool you might have never heard of – XueTR/PCHunter

It is a good habit to keep your eyes open and monitor the updates to your favorite tools. I do it ‘religiously’ and comb the internet for the updates every once in a while. I know that some of thes...

Read More

HackTool - PCHunter Execution

Sigma rule (View on GitHub)

References

Threat Hunting Report Finds Increase in eCrime | CrowdStrike

Kernel hacking tool you might have never heard of &#8211; XueTR/PCHunter

Related rules

Kernel hacking tool you might have never heard of – XueTR/PCHunter