Suspicious Sysmon as Execution Parent

Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)

Sigma rule (View on GitHub)

 1title: Suspicious Sysmon as Execution Parent
 2id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3
 3status: test
 4description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
 5references:
 6    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
 7    - https://twitter.com/filip_dragovic/status/1590052248260055041
 8    - https://twitter.com/filip_dragovic/status/1590104354727436290
 9author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
10date: 2022-11-10
11modified: 2023-10-23
12tags:
13    - attack.privilege-escalation
14    - attack.t1068
15    - cve.2022-41120
16    - detection.emerging-threats
17logsource:
18    product: windows
19    category: process_creation
20detection:
21    selection:
22        ParentImage|endswith:
23            - '\Sysmon.exe'
24            - '\Sysmon64.exe'
25    filter_main_generic:
26        Image|contains:
27            - ':\Windows\Sysmon.exe'
28            - ':\Windows\Sysmon64.exe'
29            - ':\Windows\System32\conhost.exe'
30            - ':\Windows\System32\WerFault.exe' # When Sysmon crashes
31            - ':\Windows\System32\WerFaultSecure.exe' # When Sysmon crashes
32            - ':\Windows\System32\wevtutil.exe'
33            - ':\Windows\SysWOW64\wevtutil.exe'
34            - '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
35    filter_main_null:
36        Image: null
37    condition: selection and not 1 of filter_main_*
38falsepositives:
39    - Unknown
40level: high

References

Related rules

to-top