Suspicious Sysmon as Execution Parent
Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
Sigma rule (View on GitHub)
1title: Suspicious Sysmon as Execution Parent
2id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3
3status: test
4description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
5references:
6 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
7 - https://twitter.com/filip_dragovic/status/1590052248260055041
8 - https://twitter.com/filip_dragovic/status/1590104354727436290
9author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
10date: 2022-11-10
11modified: 2025-07-04
12tags:
13 - attack.privilege-escalation
14 - attack.t1068
15 - cve.2022-41120
16 - detection.emerging-threats
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection:
22 ParentImage|endswith:
23 - '\Sysmon.exe'
24 - '\Sysmon64.exe'
25 filter_main_temp_sysmon:
26 # C:\Users\ADMINI~1\AppData\Local\Temp\2\Sysmon.exe
27 Image|startswith: 'C:\Users\'
28 Image|contains: '\AppData\Local\Temp\'
29 Image|endswith:
30 - '\Sysmon.exe'
31 - '\Sysmon64.exe'
32 filter_main_generic:
33 Image|contains:
34 - ':\Windows\Sysmon.exe'
35 - ':\Windows\Sysmon64.exe'
36 - ':\Windows\System32\conhost.exe'
37 - ':\Windows\System32\WerFault.exe' # When Sysmon crashes
38 - ':\Windows\System32\WerFaultSecure.exe' # When Sysmon crashes
39 - ':\Windows\System32\wevtutil.exe'
40 - ':\Windows\SysWOW64\wevtutil.exe'
41 filter_main_null:
42 Image: null
43 condition: selection and not 1 of filter_main_*
44falsepositives:
45 - Unknown
46level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Potential CVE-2024-35250 Exploitation Activity
- Exploiting CVE-2019-1388
- Potential CVE-2021-41379 Exploitation Attempt
- HackTool - SysmonEOP Execution
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event