The detection of the PROCEXP152.sys file in the TMP directory may indicate the presence of malicious tools leveraging this driver for persistence or privilege escalation. SOC teams should proactively hunt for this behavior as it could signal the use of advanced persistence mechanisms or unauthorized tooling in their Azure Sentinel environment.
Detection Rule
title: Suspicious PROCEXP152.sys File Created In TMP
id: 3da70954-0f2c-4103-adff-b7440368f50e
status: test
description: |
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
references:
- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2022-11-22
tags:
- attack.t1562.001
- attack.defense-evasion
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith: 'PROCEXP152.sys'
filter:
Image|contains:
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
- '\procmon.exe'
condition: selection and not filter
falsepositives:
- Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
level: medium
imFileEvent
| where (TargetFileName contains "\\AppData\\Local\\Temp\\" and TargetFileName endswith "PROCEXP152.sys") and (not((TargetFilePath contains "\\procexp64.exe" or TargetFilePath contains "\\procexp.exe" or TargetFilePath contains "\\procmon64.exe" or TargetFilePath contains "\\procmon.exe")))Scenario: A legitimate system update or patching tool creates the PROCEXP152.sys file temporarily during installation or configuration.
Filter/Exclusion: Check the file’s parent process against known patching tools (e.g., msiexec.exe, setup.exe, wusa.exe) and exclude based on process name.
Scenario: A system administrator manually installs or tests Sysinternals Process Explorer, which may temporarily create the PROCEXP152.sys file in the temporary directory.
Filter/Exclusion: Exclude events where the file is created by process.exe (Sysinternals Process Explorer) or by a user with administrative privileges performing a known admin task.
Scenario: A scheduled job or script runs KDU (https://github.com/hfiref0x/KDU), a tool that uses the PROCEXP152.sys driver for kernel debugging, and creates the file in the temporary directory.
Filter/Exclusion: Exclude events where the parent process is kdu.exe or where the file is created in a known KDU working directory.
Scenario: A legitimate third-party application or service uses a similar driver name for internal operations and creates the file in the temporary directory.
Filter/Exclusion: Exclude based on the file’s full path, or use a whitelist of known legitimate applications that may use similar driver names.
Scenario: A user or service creates the PROCEXP152.sys file manually for testing or development purposes.
Filter/Exclusion: Exclude events where the file is created by a known development tool (e.g., msbuild.exe, devenv.exe) or by a user with elevated privileges performing a test task.