← Back to SOC feed Coverage →

Suspicious Service Installed

sigma MEDIUM SigmaHQ
T1685
imRegistry
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-31T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), whi

Detection Rule

Sigma (Original)

title: Suspicious Service Installed
id: f2485272-a156-4773-82d7-1d178bc4905b
status: test
description: |
  Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.
  Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
references:
    - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject:
            - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
            - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
    filter:
        Image|endswith:
            # Please add the full paths that you use in your environment to tighten the rule
            - '\procexp64.exe'
            - '\procexp.exe'
            - '\procmon64.exe'
            - '\procmon.exe'
            - '\handle.exe'
            - '\handle64.exe'
        Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS'
    condition: selection and not filter
falsepositives:
    - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
level: medium

KQL (Azure Sentinel)

imRegistry
| where (RegistryKey in~ ("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\NalDrv\\ImagePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\PROCEXP152\\ImagePath")) and (not(((ActingProcessName endswith "\\procexp64.exe" or ActingProcessName endswith "\\procexp.exe" or ActingProcessName endswith "\\procmon64.exe" or ActingProcessName endswith "\\procmon.exe" or ActingProcessName endswith "\\handle.exe" or ActingProcessName endswith "\\handle64.exe") and RegistryValueData contains "\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS")))

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml