PowerShell spawning Cmd
Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe."
10from = "now-9m"
11index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
12language = "kuery"
13license = "Elastic License v2"
14name = "PowerShell spawning Cmd"
15risk_score = 21
16rule_id = "0f616aee-8161-4120-857e-742366f5eeb3"
17severity = "low"
18tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
19timestamp_override = "event.ingested"
20type = "query"
21
22query = '''
23event.category:process and event.type:(start or process_started) and
24 process.parent.name:powershell.exe and process.name:cmd.exe
25'''
26
27
28[[rule.threat]]
29framework = "MITRE ATT&CK"
30[[rule.threat.technique]]
31id = "T1059"
32name = "Command and Scripting Interpreter"
33reference = "https://attack.mitre.org/techniques/T1059/"
34[[rule.threat.technique.subtechnique]]
35id = "T1059.001"
36name = "PowerShell"
37reference = "https://attack.mitre.org/techniques/T1059/001/"
38
39
40
41[rule.threat.tactic]
42id = "TA0002"
43name = "Execution"
44reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Execution via Regsvcs/Regasm
- Query Registry via reg.exe
- Process Discovery via Tasklist
- Trusted Developer Application Usage
- Base64 Encoding/Decoding Activity