HackTool - PCHunter Execution

 1title: HackTool - PCHunter Execution
 2id: fca949cc-79ca-446e-8064-01aa7e52ece5
 3status: test
 4description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
 5references:
 6    - https://web.archive.org/web/20231210115125/http://www.xuetr.com/
 7    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
 8    - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
 9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
10date: 2022-10-10
11modified: 2024-11-23
12tags:
13    - attack.execution
14    - attack.discovery
15    - attack.t1082
16    - attack.t1057
17    - attack.t1012
18    - attack.t1083
19    - attack.t1007
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_image:
25        Image|endswith:
26            - '\PCHunter64.exe'
27            - '\PCHunter32.exe'
28    selection_pe:
29        - OriginalFileName: 'PCHunter.exe'
30        - Description: 'Epoolsoft Windows Information View Tools'
31    selection_hashes:
32        Hashes|contains:
33            - 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'
34            - 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'
35            - 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'
36            - 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF'
37            - 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB'
38            - 'MD5=228DD0C2E6287547E26FFBD973A40F14'
39            - 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C'
40            - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663'
41    condition: 1 of selection_*
42falsepositives:
43    - Unlikely
44level: high

References

• 

   Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the ...

  
  Read More

• Threat Hunting Report Finds Increase in eCrime | CrowdStrike

  The Falcon OverWatch report is filled with compelling stories that provide insight into the threat landscape and adversary tactics used during the first half of 2019.

  
  Read More

• Kernel hacking tool you might have never heard of – XueTR/PCHunter

  

  It is a good habit to keep your eyes open and monitor the updates to your favorite tools. I do it ‘religiously’ and comb the internet for the updates every once in a while. I know that some of thes...

  
  Read More

Related rules

• Cisco Discovery
• HackTool - WinPwn Execution
• HackTool - WinPwn Execution - ScriptBlock
• Operation Wocao Activity
• Operation Wocao Activity - Security