Detection rules › Sigma
PUA - Process Hacker Execution
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1543 Create or Modify System Process |
| Privilege Escalation | T1543 Create or Modify System Process |
| Defense Evasion | T1564 Hide Artifacts, T1622 Debugger Evasion |
| Discovery | T1622 Debugger Evasion |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: selection
or:
Description: 'Process Hacker'
Hashes|contains: 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF'
Hashes|contains: 'IMPHASH=3695333C60DEDECDCAFF1590409AA462'
Hashes|contains: 'MD5=68F9B52895F4D34E74112F3129B3B00D'
Hashes|contains: 'MD5=B365AF317AE730A67C936F21432B9C71'
Hashes|contains: 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D'
Hashes|contains: 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
Hashes|contains: 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4'
Hashes|contains: 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'
Image|endswith: '\ProcessHacker.exe'
Image|contains: '\ProcessHacker_'
OriginalFileName: 'Process Hacker'
OriginalFileName: ProcessHacker.exe
Product: 'Process Hacker'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Description | eq |
|
Hashes | match |
|
Image | ends_with |
|
Image | match |
|
OriginalFileName | eq |
|
Product | eq |
|