anavem.
Medium RiskWindowsLegitimateCommonly Abused
procexp.exeDIAGNOSTIC TOOL

procexp.exe - Process Explorer Security Analysis

procexp.exe (Process Explorer) is a **Sysinternals advanced process viewer**. While a legitimate diagnostic tool, attackers may use it for **reconnaissance**, **process termination**, or **driver loading** to bypass security. Its signed driver can be abused for kernel access.

Risk Summary

MEDIUM priority for SOC triage. procexp.exe is a legitimate Sysinternals tool that can be used for reconnaissance or security tool termination. Its kernel driver has been abused for malicious purposes. Monitor usage context.

Overview

What is procexp.exe?

Process Explorer is an advanced task manager from Microsoft Sysinternals.

Core Functions

Process Management:

  • View detailed process info
  • Kill processes
  • View handles and DLLs
  • Driver operations

Security Significance

  • Dual-Use Tool: Legitimate and malicious use
  • Driver Abuse: PROCEXP.SYS for kernel access
  • Recon Tool: Detailed system info
  • Process Kill: Can terminate security tools

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathVarious (portable tool)
Parentexplorer.exe
UserAdministrator
ContextTroubleshooting

Common Locations

Portable - various locationsC:\SysinternalsSuite\procexp.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Context:     IT troubleshooting
User:        Administrator
Usage:       Occasional diagnostic

SUSPICIOUS

Context:     After initial compromise
             Automated execution
Usage:       Kill security processes
             Driver loading for attacks

Abuse Techniques

Attack Techniques

Technique #1: Security Tool Termination (T1562.001)

Using Process Explorer to kill AV/EDR processes.

Technique #2: Driver Abuse (T1068)

PROCEXP152.sys has been abused for kernel-level access.

Technique #3: Reconnaissance (T1057)

Detailed process and system enumeration.

Detection Guidance

Detection Strategies

Priority #1: Non-IT User Execution

Process = "procexp*.exe" AND
User NOT IN IT_Admin_Group
→ ALERT: MEDIUM

Priority #2: Driver Loading

DriverLoaded = "PROCEXP*.sys"
→ LOG and review context

Remediation Steps

Protection and Remediation

Defense: Limit Tool Access

Restrict Sysinternals tools to IT.

If Abuse Suspected

  1. Check what processes were viewed/killed
  2. Review driver loading
  3. Assess if used for reconnaissance

Investigation Checklist

Investigation Checklist

  • Identify user running Process Explorer
  • Check for driver loading
  • Review what processes were accessed
  • Assess context (legitimate troubleshooting?)

MITRE ATT&CK Techniques

T1562.001T1057T1068

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026