Merge PR #5914 from @netikus - Update Potential Privileged System Service Operation - SeLoadDriverPrivilege

fix: Potential Privileged System Service Operation - SeLoadDriverPrivilege - Add new filter for ShellHost.exe and SystemSettings.exe --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
2026-04-01 06:36:52 -05:00
parent 3fe2695635
commit 7031934d17
1 changed files with 17 additions and 15 deletions
@@ -12,7 +12,7 @@ references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
 author: xknow (@xknow_infosec), xorxes (@xor_xes)
 date: 2019-04-08
-modified: 2025-10-07
+modified: 2026-03-29
 tags:
    - attack.defense-evasion
    - attack.t1562.001
@@ -26,24 +26,26 @@ detection:
        Service: '-'
    filter_main_exact:
        ProcessName:
-            - 'C:\Windows\System32\Dism.exe'
-            - 'C:\Windows\System32\rundll32.exe'
-            - 'C:\Windows\System32\fltMC.exe'
-            - 'C:\Windows\HelpPane.exe'
-            - 'C:\Windows\System32\mmc.exe'
-            - 'C:\Windows\System32\svchost.exe'
-            - 'C:\Windows\System32\wimserv.exe'
-            - 'C:\Windows\System32\RuntimeBroker.exe'
-            - 'C:\Windows\System32\SystemSettingsBroker.exe'
            - 'C:\Windows\explorer.exe'
+            - 'C:\Windows\HelpPane.exe'
+            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
+            - 'C:\Windows\System32\Dism.exe'
+            - 'C:\Windows\System32\fltMC.exe'
+            - 'C:\Windows\System32\mmc.exe'
+            - 'C:\Windows\System32\rundll32.exe'
+            - 'C:\Windows\System32\RuntimeBroker.exe'
+            - 'C:\Windows\System32\ShellHost.exe'
+            - 'C:\Windows\System32\svchost.exe'
+            - 'C:\Windows\System32\SystemSettingsBroker.exe'
+            - 'C:\Windows\System32\wimserv.exe'
    filter_optional_others:
        ProcessName|endswith:
-            - '\procexp64.exe'
-            - '\procexp.exe'
-            - '\procmon64.exe'
-            - '\procmon.exe'
-            - '\Google\Chrome\Application\chrome.exe'
            - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+            - '\Google\Chrome\Application\chrome.exe'
+            - '\procexp.exe'
+            - '\procexp64.exe'
+            - '\procmon.exe'
+            - '\procmon64.exe'
    filter_main_startswith:
        ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft'
    filter_optional_dropbox: