LoFP / other legimate tools using this service names and drivers. note - clever attackers may easily bypass this detection by just renaming the services. therefore just medium-level and don't rely on it.

Techniques

Sample rules

Suspicious Service Installed

source: sigma
technicques:
- t1562
- t1562.001

Description

Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)

Detection logic

condition: selection and not filter
filter:
  Details|contains: \WINDOWS\system32\Drivers\PROCEXP152.SYS
  Image|endswith:
  - \procexp64.exe
  - \procexp.exe
  - \procmon64.exe
  - \procmon.exe
  - \handle.exe
  - \handle64.exe
selection:
  TargetObject:
  - HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath
  - HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath