Processes creating the Process Explorer driver outside of legitimate Process Explorer activity may indicate adversary use of the driver for privilege escalation or persistence, making proactive hunting in Azure Sentinel critical to identify and mitigate potential advanced threats. This behavior aligns with T1068 and is a high-severity indicator of malicious activity that could evade standard detection mechanisms.
Detection Rule
title: Process Explorer Driver Creation By Non-Sysinternals Binary
id: de46c52b-0bf8-4936-a327-aace94f94ac6
status: test
description: |
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
- https://github.com/Yaxser/Backstab
- https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
- https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
author: Florian Roth (Nextron Systems)
date: 2023-05-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1068
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\PROCEXP'
TargetFilename|endswith: '.sys'
filter_main_process_explorer:
Image|endswith:
- '\procexp.exe'
- '\procexp64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some false positives may occur with legitimate renamed process explorer binaries
level: high
imFileEvent
| where (TargetFileName contains "\\PROCEXP" and TargetFileName endswith ".sys") and (not((TargetFilePath endswith "\\procexp.exe" or TargetFilePath endswith "\\procexp64.exe")))Scenario: System Update or Patching Tool Installation
Description: A legitimate system update tool (e.g., Windows Update, Microsoft Endpoint Configuration Manager) may create the Process Explorer driver as part of its installation or configuration process.
Filter/Exclusion: Check the process name and parent process. Exclude processes related to Windows Update (svchost.exe with wuauserv service) or Microsoft Endpoint Manager (msiexec.exe or setup.exe).
Scenario: Scheduled Task for System Monitoring
Description: A scheduled task configured by an admin to run a legitimate monitoring tool (e.g., taskeng.exe, schtasks.exe) may trigger the creation of the Process Explorer driver as part of its operation.
Filter/Exclusion: Exclude processes launched by scheduled tasks with known admin tools or monitoring utilities. Use a filter like process.parent_process_name == "schtasks.exe" or process.parent_process_name == "taskeng.exe".
Scenario: Third-Party Security Software Integration
Description: Some third-party security tools (e.g., Microsoft Defender, CrowdStrike, or Palo Alto Networks) may use the Process Explorer driver as part of their integration or diagnostic processes.
Filter/Exclusion: Exclude processes associated with known security software (e.g., MsMpEng.exe, Csrss.exe, or paloalto.exe) or check the process name against a whitelist of trusted security tools.
Scenario: Admin Task for Driver Management
Description: An admin may manually install or update the Process Explorer driver as part of a system diagnostic or troubleshooting task.
Filter/Exclusion: Exclude processes initiated by admin users with elevated privileges and associated with known diagnostic tools (e.g., procexp.exe or procmon.exe).
Scenario: Malicious Tool Mimicking Process Explorer