This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 97%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Hello-
We are leveraging a new security solution in our environment that adds protection to our endpoints. The XDR solution has a rule that is detecting the driver ProcExp152.sys as being "vulnerable". I have asked our security vendor to better explain and was provided this explanation.
The driver load/write that is blocked by this rule is a driver that has a known vulnerability in it. an attacker can use this vulnerability to gain privilege escalation and (among other things) disable the XDR agent.
So my question is: Does this driver in fact contain a known vulnerability and if so, if there a newer version which was fixed?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 27%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Our XDR reports this:
CortexXDR - Generic Usecase with 2 'Impair Defenses - 3645069560' alerts prevented by XDR Agent on host <hostname> involving user n/a system at 2023-09-04 12:35:23. Threat Analysis: Tampering capable driver with the original name 'procexp.sys' was loaded to the system at 2023-09-04 12:34:57 and 2023-09-04 14:38:17 from following Path: Type : Load Load Path : C:\WINDOWS\system32\Drivers PROCEXP152.SYS This driver was loaded from Process Explorer Application (Sysinternals) <some folder> procexp64.exe Measures done by InfoGuard AG SOC: Some of the procexp.sys drivers are vulnerable to the attack technique called 'Bring Your Own Vulnerable Driver' (BYOVD). Attackers may install a legitimate kernel driver and exploit its vulnerability to gain kernel access. We checked the logs around the time of the incident and could not find anything suspicious.
cross-linking this thread here: https://learn.microsoft.com/en-us/answers/questions/1346514/procexp152-sys-driver-cannot-load-due-to-security
and linking more detailed report: https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
I did not noticed any limitations (without the driver being loaded) while using this tool, is there anything that should be noticeable?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 56.00000000000001%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
This popped up after updating the RECentral App from AverMedia
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 90%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
I wonder if Microsoft checks these forums. Maybe there's a better place to post this question? It's been a year now.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 4%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
You'd hope so, especially since older versions of their driver are becoming a vector for ransomware. https://www.theregister.com/2023/04/24/microsoft_windows_driver_aukill_ransomware/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 23%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Hello,
I'm facing the same issue with my XDR solution.
But not the same behavior everywhere.
When the driver triggers an alert, it looks that this driver is located on the target endpoint to c:\windows\system32\drivers.
But, if I download the procexp64.exe tool from Microsoft to my computer, I run it and no problem with the XDR.
But I don't see any trace of this driver on my computer.
Maybe something related in a specific version ?
Did you find any solution ?
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 41%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
The driver is also mentioned here, but it is unclear which version is affected:
a-defenders-guide-for-rootkit-detection-episode-1-kernel-drivers
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 56.00000000000001%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWD%3C/text%3E%3C/svg%3E)
Not malicious in of itself, but has a vulnerability (that particular version of the driver) that allows privilege escalation. It's been used by threat actors. Some Threat Intel sources included that, and other vulnerable software as hashes in a threat feed. At least one AV vendor added them.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 63%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
I am also seeing this issue. Has there been any update from MS on this issue? I just put SentinelOne on Servers 2012R2 and it is detecting it as a threat and quarantining it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 86%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
The issue is still occuring, SentinelOne blocking this driver and the procexp64.exe process due to signature being revoked.