sigmahighHunting

PUA - Process Hacker Driver Load

Detects driver load of the Process Hacker tool

MITRE ATT&CK

persistenceprivilege-escalation

Detection Query

selection:
  - ImageLoaded|endswith: \kprocesshacker.sys
  - Hashes|contains:
      - IMPHASH=821D74031D3F625BCBD0DF08B70F1E77
      - IMPHASH=F86759BB4DE4320918615DC06E998A39
      - IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18
      - IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-11-16

Data Sources

windowsDriver Load Events

Platforms

windows

References

https://processhacker.sourceforge.io/

Tags

attack.persistenceattack.privilege-escalationcve.2021-21551attack.t1543

Raw Content

title: PUA - Process Hacker Driver Load
id: 67add051-9ee7-4ad3-93ba-42935615ae8d
related:
    - id: 10cb6535-b31d-4512-9962-513dcbc42cc1
      type: similar
status: test
description: Detects driver load of the Process Hacker tool
references:
    - https://processhacker.sourceforge.io/
author: Florian Roth (Nextron Systems)
date: 2022-11-16
modified: 2024-11-23
tags:
    - attack.persistence
    - attack.privilege-escalation
    - cve.2021-21551
    - attack.t1543
logsource:
    category: driver_load
    product: windows
detection:
    selection:
        - ImageLoaded|endswith: '\kprocesshacker.sys'
        - Hashes|contains:
              - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
              - 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
              - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
              - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
    condition: selection
falsepositives:
    - Legitimate use of process hacker or system informer by developers or system administrators
level: high