detection.wiki

Detection rules › Sigma

PUA - System Informer Execution

Severity
medium
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1543 Create or Modify System Process
Privilege EscalationT1543 Create or Modify System Process
Defense EvasionT1564 Hide Artifacts
DiscoveryT1082 System Information Discovery

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

or:
Description: 'System Informer'
Hashes|contains: 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'
Hashes|contains: 'MD5=19426363A37C03C3ED6FEDF57B6696EC'
Hashes|contains: 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
Hashes|contains: 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
Image|endswith: '\SystemInformer.exe'
OriginalFileName: SystemInformer.exe
Product: 'System Informer'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Descriptioneq
  • System Informer
Hashesmatch
  • IMPHASH=B68908ADAEB5D662F87F2528AF318F12
  • MD5=19426363A37C03C3ED6FEDF57B6696EC
  • SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC
  • SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287
Imageends_with
  • \SystemInformer.exe
OriginalFileNameeq
  • SystemInformer.exe
Producteq
  • System Informer