<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Driver-Abuse - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/driver-abuse/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 14:17:02 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/driver-abuse/feed.xml" rel="self" type="application/rss+xml"/><item><title>Malware Abusing Process Explorer Driver for Privilege Escalation</title><link>https://feed.craftedsignal.io/briefs/2026-07-process-explorer-driver-abuse/</link><pubDate>Fri, 03 Jul 2026 14:17:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-process-explorer-driver-abuse/</guid><description>Malware and hack tools are observed creating Sysinternals Process Explorer drivers via non-Sysinternals processes to elevate privileges and bypass security controls on Windows systems.</description><content:encoded><![CDATA[<p>Adversaries are leveraging a technique that involves the abuse of legitimate Sysinternals Process Explorer drivers (<code>PROCEXP*.sys</code>) to gain elevated privileges on Windows systems. This method entails dropping the driver to disk via a malicious process that is not the official Process Explorer utility itself. Once dropped, the adversary can create a service using this driver, which then allows their code to operate with system-level privileges. This technique is often short-lived, with the driver being removed shortly after privilege escalation is achieved, making detection challenging. This allows attackers to bypass security solutions like EDRs and perform actions that require high integrity, such as terminating security processes or modifying critical system configurations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise</strong>: An adversary gains initial access to a Windows system through an unspecified mechanism, such as exploiting a vulnerability or via a phishing attack.</li>
<li><strong>Execution</strong>: Malware or hack tools are executed on the compromised endpoint, initiating the malicious activity.</li>
<li><strong>Payload Dropping</strong>: The malicious process (not <code>procexp.exe</code> or its variants) drops a legitimate Sysinternals Process Explorer driver file (e.g., <code>PROCEXP64.sys</code>) to a temporary location on the disk.</li>
<li><strong>Service Creation</strong>: The malware programmatically creates a new Windows service, configured to load and execute the dropped <code>PROCEXP*.sys</code> driver.</li>
<li><strong>Privilege Escalation</strong>: The newly created service is started, leveraging the signed Process Explorer driver to achieve system-level privileges, allowing the attacker to bypass user access controls and potentially EDR solutions.</li>
<li><strong>Post-Exploitation &amp; Cleanup</strong>: After achieving the desired objective (e.g., disabling security software, system modifications), the malware removes the dropped driver file and may delete the associated service to cover its tracks and evade forensic analysis.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of this technique grants attackers system-level privileges, enabling them to completely compromise the affected Windows endpoint. This can lead to the termination or disabling of security software (such as EDR agents), exfiltration of sensitive data, deployment of ransomware, or establishment of persistent access. The impact can extend to full network compromise if the elevated privileges are used to pivot to other systems or compromise domain controllers. Specific instances have been observed where this technique contributed to EDR bypasses, allowing malware like Aukill to operate undetected.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule 'Process Explorer Driver Creation By Non-Sysinternals Binary' to your SIEM and tune for your environment.</li>
<li>Enable <code>file_event</code> logging (e.g., Sysmon Event ID 11 for FileCreate) on all Windows endpoints to ensure the detection rule has the necessary telemetry.</li>
<li>Implement application whitelisting solutions to prevent unauthorized executables from running on endpoints.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>driver-abuse</category><category>privilege-escalation</category><category>defense-evasion</category><category>windows</category></item><item><title>Suspicious PROCEXP152.sys Driver Creation in Temporary Folders</title><link>https://feed.craftedsignal.io/briefs/2026-07-suspicious-procexp152-sys-in-tmp/</link><pubDate>Fri, 03 Jul 2026 14:15:50 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-suspicious-procexp152-sys-in-tmp/</guid><description>This brief details the suspicious creation of the PROCEXP152.sys driver file, associated with Sysinternals Process Explorer, in temporary application data folders, a technique leveraged by tools like KDU and Ghost-In-The-Logs for defense evasion and bypassing Windows Event Logging on affected Windows systems.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of the <code>PROCEXP152.sys</code> driver being created in a user's temporary application data folder (<code>\AppData\Local\Temp\</code>). While <code>PROCEXP152.sys</code> is a legitimate driver used by Sysinternals Process Explorer for process management, its deployment by other tools, such as the Kernel Driver Utility (KDU) or Ghost-In-The-Logs, within temporary directories is highly suspicious. Attackers and red teamers utilize KDU and Ghost-In-The-Logs to load vulnerable drivers like <code>PROCEXP152.sys</code> for defense evasion, specifically to impair or bypass security monitoring solutions like Sysmon and Windows Event Logging. This technique allows adversaries to hide their activities, making it harder for defenders to detect malicious processes, network connections, and file manipulations. The presence of this file in an unusual location, decoupled from its legitimate Sysinternals executable, strongly indicates potential malicious intent to compromise system visibility.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>A full multi-stage attack chain is not described in the source material, which focuses on a specific defense evasion technique rather than an end-to-end campaign. The technique primarily involves an attacker having already achieved initial access and aiming to maintain persistence and evade detection.</p>
<h2 id="impact">Impact</h2>
<p>Successful deployment of the <code>PROCEXP152.sys</code> driver by malicious tools for defense evasion can lead to significant compromise of system visibility. By bypassing Sysmon and Windows Event Logging, attackers can execute commands, establish persistence, exfiltrate data, or deploy additional malware without leaving observable traces in standard security logs. This impairment makes it exceedingly difficult for security operations centers to detect and respond to ongoing intrusions, leading to prolonged dwell times and potentially widespread damage. While no specific victim counts are mentioned, this technique is broadly applicable to Windows environments, affecting organizations of all sectors reliant on endpoint detection for security.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the <code>Suspicious PROCEXP152.sys File Created In TMP</code> Sigma rule to your SIEM/EDR to detect the creation of this driver in suspicious locations.</li>
<li>Ensure <code>File Creation</code> logging (Event ID 11) is enabled for Sysmon or similar file system monitoring to capture the artifact referenced in the rule.</li>
<li>Investigate any alerts generated by the <code>Suspicious PROCEXP152.sys File Created In TMP</code> rule, focusing on the parent process responsible for creating the <code>.sys</code> file.</li>
<li>Review the referenced blog post (<a href="https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/">https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/</a>) for further context on defense evasion techniques involving drivers.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>defense-evasion</category><category>driver-abuse</category><category>windows</category><category>endpoint</category></item></channel></rss>