detection.wiki

Detection rules › Sigma

PUA - Process Hacker Driver Load

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects driver load of the Process Hacker tool

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1543 Create or Modify System Process
Privilege EscalationT1543 Create or Modify System Process

Event coverage

ProviderEvent IDTitle
Sysmon6Driver loaded

Stages and Predicates

Stage 1: selection

or:
Hashes|contains: 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
Hashes|contains: 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
Hashes|contains: 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
Hashes|contains: 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
ImageLoaded|endswith: '\kprocesshacker.sys'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Hashesmatch
  • IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18
  • IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0
  • IMPHASH=821D74031D3F625BCBD0DF08B70F1E77
  • IMPHASH=F86759BB4DE4320918615DC06E998A39
ImageLoadedends_with
  • \kprocesshacker.sys corpus 2 (sigma 2)