Suspicious PROCEXP152.sys Driver Creation in Temporary Folders
This brief details the suspicious creation of the PROCEXP152.sys driver file, associated with Sysinternals Process Explorer, in temporary application data folders, a technique leveraged by tools like KDU and Ghost-In-The-Logs for defense evasion and bypassing Windows Event Logging on affected Windows systems.
This threat brief focuses on the detection of the PROCEXP152.sys driver being created in a user's temporary application data folder (\AppData\Local\Temp\). While PROCEXP152.sys is a legitimate driver used by Sysinternals Process Explorer for process management, its deployment by other tools, such as the Kernel Driver Utility (KDU) or Ghost-In-The-Logs, within temporary directories is highly suspicious. Attackers and red teamers utilize KDU and Ghost-In-The-Logs to load vulnerable drivers like PROCEXP152.sys for defense evasion, specifically to impair or bypass security monitoring solutions like Sysmon and Windows Event Logging. This technique allows adversaries to hide their activities, making it harder for defenders to detect malicious processes, network connections, and file manipulations. The presence of this file in an unusual location, decoupled from its legitimate Sysinternals executable, strongly indicates potential malicious intent to compromise system visibility.
Attack Chain
A full multi-stage attack chain is not described in the source material, which focuses on a specific defense evasion technique rather than an end-to-end campaign. The technique primarily involves an attacker having already achieved initial access and aiming to maintain persistence and evade detection.
Impact
Successful deployment of the PROCEXP152.sys driver by malicious tools for defense evasion can lead to significant compromise of system visibility. By bypassing Sysmon and Windows Event Logging, attackers can execute commands, establish persistence, exfiltrate data, or deploy additional malware without leaving observable traces in standard security logs. This impairment makes it exceedingly difficult for security operations centers to detect and respond to ongoing intrusions, leading to prolonged dwell times and potentially widespread damage. While no specific victim counts are mentioned, this technique is broadly applicable to Windows environments, affecting organizations of all sectors reliant on endpoint detection for security.
Recommendation
- Deploy the
Suspicious PROCEXP152.sys File Created In TMPSigma rule to your SIEM/EDR to detect the creation of this driver in suspicious locations. - Ensure
File Creationlogging (Event ID 11) is enabled for Sysmon or similar file system monitoring to capture the artifact referenced in the rule. - Investigate any alerts generated by the
Suspicious PROCEXP152.sys File Created In TMPrule, focusing on the parent process responsible for creating the.sysfile. - Review the referenced blog post (https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/) for further context on defense evasion techniques involving drivers.
Detection coverage 1
Suspicious PROCEXP152.sys File Created In TMP
mediumDetects the creation of the PROCEXP152.sys driver file in application-data local temporary folders, which can indicate defense evasion via tools like KDU or Ghost-In-The-Logs.
Detection queries are available on the platform. Get full rules →