{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/process-explorer/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Process Explorer"],"_cs_severities":["high"],"_cs_tags":["driver-abuse","privilege-escalation","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdversaries are leveraging a technique that involves the abuse of legitimate Sysinternals Process Explorer drivers (\u003ccode\u003ePROCEXP*.sys\u003c/code\u003e) to gain elevated privileges on Windows systems. This method entails dropping the driver to disk via a malicious process that is not the official Process Explorer utility itself. Once dropped, the adversary can create a service using this driver, which then allows their code to operate with system-level privileges. This technique is often short-lived, with the driver being removed shortly after privilege escalation is achieved, making detection challenging. This allows attackers to bypass security solutions like EDRs and perform actions that require high integrity, such as terminating security processes or modifying critical system configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise\u003c/strong\u003e: An adversary gains initial access to a Windows system through an unspecified mechanism, such as exploiting a vulnerability or via a phishing attack.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution\u003c/strong\u003e: Malware or hack tools are executed on the compromised endpoint, initiating the malicious activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Dropping\u003c/strong\u003e: The malicious process (not \u003ccode\u003eprocexp.exe\u003c/code\u003e or its variants) drops a legitimate Sysinternals Process Explorer driver file (e.g., \u003ccode\u003ePROCEXP64.sys\u003c/code\u003e) to a temporary location on the disk.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eService Creation\u003c/strong\u003e: The malware programmatically creates a new Windows service, configured to load and execute the dropped \u003ccode\u003ePROCEXP*.sys\u003c/code\u003e driver.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation\u003c/strong\u003e: The newly created service is started, leveraging the signed Process Explorer driver to achieve system-level privileges, allowing the attacker to bypass user access controls and potentially EDR solutions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation \u0026amp; Cleanup\u003c/strong\u003e: After achieving the desired objective (e.g., disabling security software, system modifications), the malware removes the dropped driver file and may delete the associated service to cover its tracks and evade forensic analysis.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this technique grants attackers system-level privileges, enabling them to completely compromise the affected Windows endpoint. This can lead to the termination or disabling of security software (such as EDR agents), exfiltration of sensitive data, deployment of ransomware, or establishment of persistent access. The impact can extend to full network compromise if the elevated privileges are used to pivot to other systems or compromise domain controllers. Specific instances have been observed where this technique contributed to EDR bypasses, allowing malware like Aukill to operate undetected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule 'Process Explorer Driver Creation By Non-Sysinternals Binary' to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable \u003ccode\u003efile_event\u003c/code\u003e logging (e.g., Sysmon Event ID 11 for FileCreate) on all Windows endpoints to ensure the detection rule has the necessary telemetry.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting solutions to prevent unauthorized executables from running on endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:17:02Z","date_published":"2026-07-03T14:17:02Z","id":"https://feed.craftedsignal.io/briefs/2026-07-process-explorer-driver-abuse/","summary":"Malware and hack tools are observed creating Sysinternals Process Explorer drivers via non-Sysinternals processes to elevate privileges and bypass security controls on Windows systems.","title":"Malware Abusing Process Explorer Driver for Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-07-process-explorer-driver-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed - Process Explorer","version":"https://jsonfeed.org/version/1.1"}