Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Process Explorer Driver Creation By Non-Sysinternals Binary

Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Fri May 05de46c52b-0bf8-4936-a327-aace94f94ac6windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetFilename|contains: '\PROCEXP'
        TargetFilename|endswith: '.sys'
    filter_main_process_explorer:
        Image|endswith:
            - '\procexp.exe'
            - '\procexp64.exe'
    condition: selection and not 1 of filter_main_*
False Positives

Some false positives may occur with legitimate renamed process explorer binaries

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
github.com
3
Resolving title…
elastic.co
4
Resolving title…
news.sophos.com
MITRE ATT&CK
Rule Metadata
Rule ID
de46c52b-0bf8-4936-a327-aace94f94ac6
Status
test
Level
high
Type
Detection
Created
Fri May 05
Author
Florian Roth (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1068
View on GitHub