← Back to Explore
sigmamediumHunting
Suspicious PROCEXP152.sys File Created In TMP
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
Detection Query
selection:
TargetFilename|contains: \AppData\Local\Temp\
TargetFilename|endswith: PROCEXP152.sys
filter:
Image|contains:
- \procexp64.exe
- \procexp.exe
- \procmon64.exe
- \procmon.exe
condition: selection and not filter
Author
xknow (@xknow_infosec), xorxes (@xor_xes)
Created
2019-04-08
Data Sources
windowsFile Events
Platforms
windows
Tags
attack.t1562.001attack.defense-evasion
Raw Content
title: Suspicious PROCEXP152.sys File Created In TMP
id: 3da70954-0f2c-4103-adff-b7440368f50e
status: test
description: |
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
references:
- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2022-11-22
tags:
- attack.t1562.001
- attack.defense-evasion
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith: 'PROCEXP152.sys'
filter:
Image|contains:
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
- '\procmon.exe'
condition: selection and not filter
falsepositives:
- Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
level: medium