Detectionmediumtest

Process Monitor Driver Creation By Non-Sysinternals Binary

Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Fri May 05a05baa88-e922-4001-bc4d-8738135f27dewindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|contains: '\procmon'
        TargetFilename|endswith: '.sys'
    filter_main_process_explorer:
        Image|endswith:
            - '\procmon.exe'
            - '\procmon64.exe'
    condition: selection and not 1 of filter_main_*

False Positives

Some false positives may occur with legitimate renamed process monitor binaries

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Techniques

T1068 · Exploitation for Privilege Escalation

Rule Metadata

Rule ID

a05baa88-e922-4001-bc4d-8738135f27de

Status

test

Level

medium

Type

Detection

Created

Fri May 05

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1068

View on GitHub