Detection rules › Sigma
HackTool - PCHunter Execution
Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1007 System Service Discovery, T1012 Query Registry, T1057 Process Discovery, T1082 System Information Discovery, T1083 File and Directory Discovery |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: 1 of selection_image
or:
Image|endswith: '\PCHunter32.exe'
Image|endswith: '\PCHunter64.exe'
Stage 2: 1 of selection_pe
or:
Description: 'Epoolsoft Windows Information View Tools'
OriginalFileName: PCHunter.exe
Stage 3: 1 of selection_hashes
or:
Hashes|contains: 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663'
Hashes|contains: 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF'
Hashes|contains: 'MD5=228DD0C2E6287547E26FFBD973A40F14'
Hashes|contains: 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'
Hashes|contains: 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB'
Hashes|contains: 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'
Hashes|contains: 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'
Hashes|contains: 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Description | eq |
|
Hashes | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|