PUA - System Informer Execution
Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
Sigma rule (View on GitHub)
1title: PUA - System Informer Execution
2id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
3related:
4 - id: 811e0002-b13b-4a15-9d00-a613fce66e42
5 type: similar
6status: test
7description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
8references:
9 - https://github.com/winsiderss/systeminformer
10author: Florian Roth (Nextron Systems)
11date: 2023-05-08
12tags:
13 - attack.persistence
14 - attack.privilege-escalation
15 - attack.discovery
16 - attack.defense-evasion
17 - attack.t1082
18 - attack.t1564
19 - attack.t1543
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_image:
25 - Image|endswith: '\SystemInformer.exe'
26 - OriginalFileName: 'SystemInformer.exe'
27 - Description: 'System Informer'
28 - Product: 'System Informer'
29 selection_hashes:
30 Hashes|contains:
31 # Note: add other hashes as needed
32 # 3.0.11077.6550
33 - 'MD5=19426363A37C03C3ED6FEDF57B6696EC'
34 - 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
35 - 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
36 - 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'
37 selection_hash_values:
38 - md5: '19426363A37C03C3ED6FEDF57B6696EC'
39 - sha1: '8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
40 - sha256: '8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
41 - Imphash: 'B68908ADAEB5D662F87F2528AF318F12'
42 condition: 1 of selection_*
43falsepositives:
44 - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
45level: medium
References
Related rules
- PUA - Process Hacker Execution
- Potential Suspicious Activity Using SeCEdit
- Github Self Hosted Runner Changes Detected
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS