PUA - Process Hacker Execution

calendar Nov 25, 2024 · attack.defense-evasion attack.discovery attack.persistence attack.privilege-escalation attack.t1622 attack.t1564 attack.t1543  ·
Share on: linkedin copy

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

Sigma rule (View on GitHub)

 1title: PUA - Process Hacker Execution
 2id: 811e0002-b13b-4a15-9d00-a613fce66e42
 3related:
 4    - id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
 5      type: similar
 6status: test
 7description: |
 8    Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).
 9    Process Hacker is a tool to view and manipulate processes, kernel options and other low level options.
10    Threat actors abused older vulnerable versions to manipulate system processes.    
11references:
12    - https://processhacker.sourceforge.io/
13    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
14author: Florian Roth (Nextron Systems)
15date: 2022-10-10
16modified: 2024-11-23
17tags:
18    - attack.defense-evasion
19    - attack.discovery
20    - attack.persistence
21    - attack.privilege-escalation
22    - attack.t1622
23    - attack.t1564
24    - attack.t1543
25logsource:
26    category: process_creation
27    product: windows
28detection:
29    selection:
30        - Image|contains: '\ProcessHacker_'
31        - Image|endswith: '\ProcessHacker.exe'
32        - OriginalFileName:
33              - 'ProcessHacker.exe'
34              - 'Process Hacker'
35        - Description: 'Process Hacker'
36        - Product: 'Process Hacker'
37        - Hashes|contains:
38              - 'MD5=68F9B52895F4D34E74112F3129B3B00D'
39              - 'MD5=B365AF317AE730A67C936F21432B9C71'
40              - 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D'
41              - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
42              - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'
43              - 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4'
44              - 'IMPHASH=3695333C60DEDECDCAFF1590409AA462'
45              - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF'
46    condition: selection
47falsepositives:
48    - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis
49level: medium

References

Related rules

to-top