Suspicious Sysmon as Execution Parent
Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
Sigma rule (View on GitHub)
1title: Suspicious Sysmon as Execution Parent
2id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3
3status: experimental
4description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
5references:
6 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
7 - https://twitter.com/filip_dragovic/status/1590052248260055041
8 - https://twitter.com/filip_dragovic/status/1590104354727436290
9author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
10date: 2022/11/10
11modified: 2023/09/13
12tags:
13 - attack.privilege_escalation
14 - attack.t1068
15 - cve.2022.41120
16 - detection.emerging_threats
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection:
22 ParentImage|endswith:
23 - '\Sysmon.exe'
24 - '\Sysmon64.exe'
25 filter_main_generic:
26 - Image:
27 - 'C:\Windows\Sysmon.exe'
28 - 'C:\Windows\Sysmon64.exe'
29 - 'C:\Windows\System32\conhost.exe'
30 - 'wevtutil.exe'
31 - 'C:\WINDOWS\system32\wevtutil.exe'
32 - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes
33 - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
34 filter_main_null:
35 Image: null
36 condition: selection and not 1 of filter_main_*
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- Exploiting CVE-2019-1388
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential CVE-2021-41379 Exploitation Attempt
- Potential SystemNightmare Exploitation Attempt
- HackTool - SysmonEOP Execution