Detectionmediumtest

PUA - System Informer Execution

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Mon May 08Updated Sat Nov 235722dff1-4bdd-4949-86ab-fbaf707e767awindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - Image|endswith: '\SystemInformer.exe'
        - OriginalFileName: 'SystemInformer.exe'
        - Description: 'System Informer'
        - Product: 'System Informer'
        - Hashes|contains:
              # Note: add other hashes as needed
              # 3.0.11077.6550
              - 'MD5=19426363A37C03C3ED6FEDF57B6696EC'
              - 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
              - 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
              - 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'
    condition: selection

False Positives

System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation TA0007 · Discovery TA0005 · Defense Evasion

Techniques

T1082 · System Information Discovery T1564 · Hide Artifacts T1543 · Create or Modify System Process

Related Rules

SimilarDetectionmedium

PUA - Process Hacker Execution

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

5722dff1-4bdd-4949-86ab-fbaf707e767a

Status

test

Level

medium

Type

Detection

Created

Mon May 08

Modified

Sat Nov 23

Author

Florian Roth (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_pua_system_informer.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.discoveryattack.defense-evasionattack.t1082attack.t1564attack.t1543

View on GitHub