Process Explorer - ProcExp152.sys Driver Flagged As Vulnerable

Marc Denman 76

Hello-

We are leveraging a new security solution in our environment that adds protection to our endpoints. The XDR solution has a rule that is detecting the driver ProcExp152.sys as being "vulnerable". I have asked our security vendor to better explain and was provided this explanation.

The driver load/write that is blocked by this rule is a driver that has a known vulnerability in it. an attacker can use this vulnerability to gain privilege escalation and (among other things) disable the XDR agent.

So my question is: Does this driver in fact contain a known vulnerability and if so, if there a newer version which was fixed?

Christian 16 Reputation points

2023-10-31T07:43:42.0666667+00:00

Our XDR reports this:

CortexXDR - Generic Usecase with 2 'Impair Defenses - 3645069560' alerts prevented by XDR Agent on host <hostname> involving user n/a system at 2023-09-04 12:35:23. Threat Analysis: Tampering capable driver with the original name 'procexp.sys' was loaded to the system at 2023-09-04 12:34:57 and 2023-09-04 14:38:17 from following Path: Type : Load Load Path : C:\WINDOWS\system32\Drivers PROCEXP152.SYS This driver was loaded from Process Explorer Application (Sysinternals) <some folder> procexp64.exe Measures done by InfoGuard AG SOC: Some of the procexp.sys drivers are vulnerable to the attack technique called 'Bring Your Own Vulnerable Driver' (BYOVD). Attackers may install a legitimate kernel driver and exploit its vulnerability to gain kernel access. We checked the logs around the time of the incident and could not find anything suspicious.

cross-linking this thread here: https://learn.microsoft.com/en-us/answers/questions/1346514/procexp152-sys-driver-cannot-load-due-to-security

and linking more detailed report: https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

I did not noticed any limitations (without the driver being loaded) while using this tool, is there anything that should be noticeable?
joseph brewer 0 Reputation points

2024-02-05T05:11:59.2666667+00:00

This popped up after updating the RECentral App from AverMedia

11 answers

Nick Westgate 1 Reputation point

2024-08-13T01:12:03.87+00:00

Does anyone have any further updates?

I notice in the Microsoft recommended driver block rules they appear to block versions prior to the current major version (17 at the time of writing).

<FileAttrib ID="ID_FILEATTRIB_PROCEXP" FriendlyName="Sysinternals Process Explorer FileAttribute" FileName="procexp.Sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="16.65535.65535.65535" />

MS should really address this on the Process Explorer home page.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Process Explorer - ProcExp152.sys Driver Flagged As Vulnerable

11 answers

Your answer