Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

PUA - Process Hacker Execution

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Mon Oct 10Updated Sat Nov 23811e0002-b13b-4a15-9d00-a613fce66e42windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        - Image|contains: '\ProcessHacker_'
        - Image|endswith: '\ProcessHacker.exe'
        - OriginalFileName:
              - 'ProcessHacker.exe'
              - 'Process Hacker'
        - Description: 'Process Hacker'
        - Product: 'Process Hacker'
        - Hashes|contains:
              - 'MD5=68F9B52895F4D34E74112F3129B3B00D'
              - 'MD5=B365AF317AE730A67C936F21432B9C71'
              - 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D'
              - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
              - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'
              - 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4'
              - 'IMPHASH=3695333C60DEDECDCAFF1590409AA462'
              - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF'
    condition: selection
False Positives

While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis

References
1
Resolving title…
processhacker.sourceforge.io
2
Resolving title…
crowdstrike.com
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

PUA - System Informer Execution

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
811e0002-b13b-4a15-9d00-a613fce66e42
Status
test
Level
medium
Type
Detection
Created
Mon Oct 10
Modified
Sat Nov 23
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml
Raw Tags
attack.defense-evasionattack.discoveryattack.persistenceattack.privilege-escalationattack.t1622attack.t1564attack.t1543
View on GitHub