Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious PROCEXP152.sys File Created In TMP

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
xknow, xorxesCreated Mon Apr 08Updated Tue Nov 223da70954-0f2c-4103-adff-b7440368f50ewindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetFilename|contains: '\AppData\Local\Temp\'
        TargetFilename|endswith: 'PROCEXP152.sys'
    filter:
        Image|contains:
            - '\procexp64.exe'
            - '\procexp.exe'
            - '\procmon64.exe'
            - '\procmon.exe'
    condition: selection and not filter
False Positives

Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.

References
1
Resolving title…
web.archive.org
MITRE ATT&CK
Rule Metadata
Rule ID
3da70954-0f2c-4103-adff-b7440368f50e
Status
test
Level
medium
Type
Detection
Created
Mon Apr 08
Modified
Tue Nov 22
Author
xknow, xorxes
Path
rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml
Raw Tags
attack.t1562.001attack.defense-evasion
View on GitHub