Adversaries may create the Process Monitor driver to persistently monitor system processes and exfiltrate data without detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms used by advanced threats.
Detection Rule
title: Process Monitor Driver Creation By Non-Sysinternals Binary
id: a05baa88-e922-4001-bc4d-8738135f27de
status: test
description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1068
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\procmon'
TargetFilename|endswith: '.sys'
filter_main_process_explorer:
Image|endswith:
- '\procmon.exe'
- '\procmon64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some false positives may occur with legitimate renamed process monitor binaries
level: medium
imFileEvent
| where (TargetFileName contains "\\procmon" and TargetFileName endswith ".sys") and (not((TargetFilePath endswith "\\procmon.exe" or TargetFilePath endswith "\\procmon64.exe")))Scenario: System Update or Patch Installation
Description: A legitimate system update or patch installation process may create temporary drivers or monitoring components as part of its operation.
Filter/Exclusion: Exclude processes associated with Windows Update (wuauclt.exe), Microsoft Update (msiexec.exe), or specific patching tools like setup.exe from the detection.
Scenario: Antivirus or Endpoint Protection Scan
Description: Some endpoint protection solutions may create temporary drivers or monitoring components during a full system scan.
Filter/Exclusion: Exclude processes from known antivirus vendors such as mpsvc.exe (Microsoft Defender), avgnt.exe (Avast), or bit4id.exe (Bitdefender).
Scenario: Scheduled Job for Log Collection or Monitoring
Description: A scheduled task configured to collect logs or monitor system activity might use a driver or monitoring tool that is not Process Monitor.
Filter/Exclusion: Exclude processes running under the System or Local System account that are associated with log collection tools like eventvwr.exe or logman.exe.
Scenario: Third-Party Monitoring or Diagnostics Tool
Description: A legitimate third-party tool, such as Process Explorer (from Sysinternals) or Wireshark, may create drivers or monitoring components during operation.
Filter/Exclusion: Exclude processes from known trusted tools like procexp.exe (Process Explorer) or wireshark.exe.
Scenario: Admin Task for Driver Deployment
Description: An administrator may deploy a new driver or use a tool like devcon.exe to manage hardware drivers, which could trigger the rule.
Filter/Exclusion: Exclude processes running devcon.exe or associated with driver deployment tools, or filter by the Administrators group