PUA - Process Hacker Execution

calendar Aug 28, 2023 · attack.defense_evasion attack.discovery attack.persistence attack.privilege_escalation attack.t1622 attack.t1564 attack.t1543  ·
Share on: linkedin copy

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors regularly abuse it to manipulate system processes.

Sigma rule (View on GitHub)

 1title: PUA - Process Hacker Execution
 2id: 811e0002-b13b-4a15-9d00-a613fce66e42
 3related:
 4    - id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
 5      type: similar
 6status: experimental
 7description: Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors regularly abuse it to manipulate system processes.
 8references:
 9    - https://processhacker.sourceforge.io/
10    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
11author: Florian Roth (Nextron Systems)
12date: 2022/10/10
13modified: 2023/05/08
14tags:
15    - attack.defense_evasion
16    - attack.discovery
17    - attack.persistence
18    - attack.privilege_escalation
19    - attack.t1622
20    - attack.t1564
21    - attack.t1543
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_image:
27        - Image|contains: '\ProcessHacker_'
28        - Image|endswith: '\ProcessHacker.exe'
29        - OriginalFileName:
30            - 'ProcessHacker.exe'
31            - 'Process Hacker'
32        - Description: 'Process Hacker'
33        - Product: 'Process Hacker'
34    selection_hashes:
35        Hashes|contains:
36            - 'MD5=68F9B52895F4D34E74112F3129B3B00D'
37            - 'MD5=B365AF317AE730A67C936F21432B9C71'
38            - 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D'
39            - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
40            - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'
41            - 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4'
42            - 'IMPHASH=3695333C60DEDECDCAFF1590409AA462'
43            - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF'
44    selection_hash_values:
45        - md5:
46            - '68f9b52895f4d34e74112f3129b3b00d'
47            - 'b365af317ae730a67c936f21432b9c71'
48        - sha1:
49            - 'c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e'
50            - 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d'
51        - sha256:
52            - 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f'
53            - 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4'
54        - Imphash:
55            - '04de0ad9c37eb7bd52043d2ecac958df'
56            - '3695333c60dedecdcaff1590409aa462'
57    condition: 1 of selection_*
58falsepositives:
59    - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis
60level: high

References

Related rules

to-top