Unusual Parent Process for cmd.exe

  1[metadata]
  2creation_date = "2020/08/21"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  6min_stack_version = "8.14.0"
  7updated_date = "2025/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process."
 12from = "now-9m"
 13index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
 14language = "eql"
 15license = "Elastic License v2"
 16name = "Unusual Parent Process for cmd.exe"
 17risk_score = 47
 18rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1"
 19setup = """## Setup
 20
 21If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 22events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 23Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 24`event.ingested` to @timestamp.
 25For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 26"""
 27severity = "medium"
 28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"]
 29timestamp_override = "event.ingested"
 30type = "eql"
 31
 32query = '''
 33process where host.os.type == "windows" and event.type == "start" and
 34  process.name : "cmd.exe" and
 35  process.parent.name : ("lsass.exe",
 36                         "csrss.exe",
 37                         "epad.exe",
 38                         "regsvr32.exe",
 39                         "dllhost.exe",
 40                         "LogonUI.exe",
 41                         "wermgr.exe",
 42                         "spoolsv.exe",
 43                         "jucheck.exe",
 44                         "jusched.exe",
 45                         "ctfmon.exe",
 46                         "taskhostw.exe",
 47                         "GoogleUpdate.exe",
 48                         "sppsvc.exe",
 49                         "sihost.exe",
 50                         "slui.exe",
 51                         "SIHClient.exe",
 52                         "SearchIndexer.exe",
 53                         "SearchProtocolHost.exe",
 54                         "FlashPlayerUpdateService.exe",
 55                         "WerFault.exe",
 56                         "WUDFHost.exe",
 57                         "unsecapp.exe",
 58                         "wlanext.exe" ) and
 59  not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}")
 60'''
 61note = """## Triage and analysis
 62
 63> **Disclaimer**:
 64> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 65
 66### Investigating Unusual Parent Process for cmd.exe
 67
 68Cmd.exe is a command-line interpreter on Windows systems, often used for legitimate administrative tasks. However, adversaries can exploit it by launching it from atypical parent processes to execute malicious commands stealthily. The detection rule identifies such anomalies by flagging cmd.exe instances spawned by uncommon parent processes, which may indicate unauthorized or suspicious activity, thus aiding in early threat detection.
 69
 70### Possible investigation steps
 71
 72- Review the process tree to understand the context in which cmd.exe was launched, focusing on the parent process identified in the alert.
 73- Investigate the parent process by examining its command-line arguments, start time, and any associated network activity to determine if it is behaving anomalously.
 74- Check the historical behavior of the parent process to see if it has previously spawned cmd.exe or if this is an unusual occurrence.
 75- Analyze any child processes spawned by the cmd.exe instance to identify potentially malicious activities or commands executed.
 76- Correlate the alert with other security events or logs from the same host to identify any related suspicious activities or patterns.
 77- Assess the user account associated with the cmd.exe process to determine if it has been compromised or is exhibiting unusual behavior.
 78- Consult threat intelligence sources to see if the parent process or its behavior is associated with known malware or attack techniques.
 79
 80### False positive analysis
 81
 82- Cmd.exe instances spawned by legitimate system maintenance tools like Windows Update or system indexing services can trigger false positives. Users can create exceptions for processes like SearchIndexer.exe or WUDFHost.exe if they are verified as part of routine system operations.
 83- Software updates or installations that use cmd.exe for scripting purposes might be flagged. If GoogleUpdate.exe or FlashPlayerUpdateService.exe are known to be part of regular update processes, consider excluding them after confirming their legitimacy.
 84- Administrative scripts or tools that are scheduled to run via Task Scheduler might use cmd.exe and be flagged. If taskhostw.exe is a known parent process for these tasks, verify and exclude it to prevent unnecessary alerts.
 85- Certain third-party applications might use cmd.exe for legitimate background tasks. If applications like jusched.exe or jucheck.exe are identified as part of trusted software, they can be excluded after validation.
 86- System recovery or diagnostic tools that interact with cmd.exe could be misidentified. If WerFault.exe or wermgr.exe are part of these processes, ensure they are legitimate and exclude them accordingly.
 87
 88### Response and remediation
 89
 90- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary.
 91- Terminate the suspicious cmd.exe process and its parent process to halt any ongoing malicious activity.
 92- Conduct a thorough review of the affected system's recent activity logs to identify any unauthorized changes or additional compromised processes.
 93- Restore any altered or deleted files from a known good backup to ensure system integrity.
 94- Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats.
 95- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 96- Implement enhanced monitoring and logging for cmd.exe and its parent processes to detect similar anomalies in the future."""
 97
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1059"
103name = "Command and Scripting Interpreter"
104reference = "https://attack.mitre.org/techniques/T1059/"
105
106
107[rule.threat.tactic]
108id = "TA0002"
109name = "Execution"
110reference = "https://attack.mitre.org/tactics/TA0002/"