Command Shell Suspicious Process Ancestry (RedCanary Threat Detection Report)
Detects IIS worker process spawning command shell. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Command Shell Suspicious Process Ancestry (RedCanary Threat Detection Report)
2id: 60cb2beb-d2ba-4a47-ad68-e97576985c70
3status: experimental
4description: Detects IIS worker process spawning command shell. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.execution
11 - attack.t1059.003
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage|endswith:
18 - '\w3wp.exe'
19 - '\wmiprvse.exe'
20 Image|endswith: '\cmd.exe'
21 CommandLine|contains:
22 - 'http://'
23 - 'https://'
24 - 'echo'
25 condition: selection
26falsepositives:
27 - Unknown
28level: low```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Command Shell Bypassing Security Controls (RedCanary Threat Detection Report)
- Command Shell Obfuscated Commands (RedCanary Threat Detection Report)
- Explorer Spawning CMD With Start/Exit Commands (RedCanary Threat Detection Report)
- Service Control Manager Spawning Command Shell (RedCanary Threat Detection Report)
- Windows Scheduled Task Create Shell (RedCanary Threat Detection Report)