
Summary
This detection rule identifies the creation of drivers associated with Process Explorer by processes that are not the legitimate Process Explorer binary (procexp.exe). The underlying concern is that malware or hacking tools might exploit the Process Explorer driver for privilege escalation. Typically, this is done by temporarily dropping the driver to the disk during the execution of a malicious service and then deleting it thereafter. By monitoring the file events for driver creation that includes 'PROCEXP' in the filename and ends with '.sys', while ensuring that the process responsible for the creation is not recognized as the legitimate Process Explorer, the rule aims to catch any possible misuse of this driver. This rule is particularly critical as misuse of drivers for privilege escalation attacks is common in various malicious activities.
Categories
- Windows
- Endpoint
Data Sources
- Process
- File
Created: 2023-05-05