Unusual Parent Process for cmd.exe

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: SentinelOne Data Source: Microsoft Defender for Endpoint  ·
Share on: linkedin copy

Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/21"
 3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2024/10/15"
 8
 9[rule]
10author = ["Elastic"]
11description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process."
12from = "now-9m"
13index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
14language = "eql"
15license = "Elastic License v2"
16name = "Unusual Parent Process for cmd.exe"
17risk_score = 47
18rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1"
19setup = """## Setup
20
21If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
22events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
23Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
24`event.ingested` to @timestamp.
25For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
26"""
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type == "start" and
34  process.name : "cmd.exe" and
35  process.parent.name : ("lsass.exe",
36                         "csrss.exe",
37                         "epad.exe",
38                         "regsvr32.exe",
39                         "dllhost.exe",
40                         "LogonUI.exe",
41                         "wermgr.exe",
42                         "spoolsv.exe",
43                         "jucheck.exe",
44                         "jusched.exe",
45                         "ctfmon.exe",
46                         "taskhostw.exe",
47                         "GoogleUpdate.exe",
48                         "sppsvc.exe",
49                         "sihost.exe",
50                         "slui.exe",
51                         "SIHClient.exe",
52                         "SearchIndexer.exe",
53                         "SearchProtocolHost.exe",
54                         "FlashPlayerUpdateService.exe",
55                         "WerFault.exe",
56                         "WUDFHost.exe",
57                         "unsecapp.exe",
58                         "wlanext.exe" ) and
59  not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}")
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1059"
67name = "Command and Scripting Interpreter"
68reference = "https://attack.mitre.org/techniques/T1059/"
69
70
71[rule.threat.tactic]
72id = "TA0002"
73name = "Execution"
74reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top