title: ProcessHacker Privilege Elevation
author: Florian Roth
date: 2021/05/27
description: Detects a ProcessHacker tool that elevated privileges to a very high
  level
detection:
  SELECTION_1:
    EventID: 7045
  SELECTION_2:
    ServiceName: ProcessHacker*
  SELECTION_3:
    AccountName: LocalSystem
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unlikely
id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
level: high
logsource:
  product: windows
  service: system
references:
- https://twitter.com/1kwpeter/status/1397816101455765504
status: experimental
tags:
- attack.execution
- attack.privilege_escalation
- attack.t1543.003
- attack.t1569.002
ruletype: SIGMA