PUA - System Informer Execution

calendar Nov 25, 2024 · attack.persistence attack.privilege-escalation attack.discovery attack.defense-evasion attack.t1082 attack.t1564 attack.t1543  ·
Share on: linkedin copy

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Sigma rule (View on GitHub)

 1title: PUA - System Informer Execution
 2id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
 3related:
 4    - id: 811e0002-b13b-4a15-9d00-a613fce66e42
 5      type: similar
 6status: test
 7description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
 8references:
 9    - https://github.com/winsiderss/systeminformer
10author: Florian Roth (Nextron Systems)
11date: 2023-05-08
12modified: 2024-11-23
13tags:
14    - attack.persistence
15    - attack.privilege-escalation
16    - attack.discovery
17    - attack.defense-evasion
18    - attack.t1082
19    - attack.t1564
20    - attack.t1543
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        - Image|endswith: '\SystemInformer.exe'
27        - OriginalFileName: 'SystemInformer.exe'
28        - Description: 'System Informer'
29        - Product: 'System Informer'
30        - Hashes|contains:
31              # Note: add other hashes as needed
32              # 3.0.11077.6550
33              - 'MD5=19426363A37C03C3ED6FEDF57B6696EC'
34              - 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
35              - 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
36              - 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'
37    condition: selection
38falsepositives:
39    - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
40level: medium

References

Related rules

to-top