Suspicious Sysmon as Execution Parent
Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
Sigma rule (View on GitHub)
1title: Suspicious Sysmon as Execution Parent
2id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3
3status: test
4description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
5references:
6 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
7 - https://twitter.com/filip_dragovic/status/1590052248260055041
8 - https://twitter.com/filip_dragovic/status/1590104354727436290
9author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
10date: 2022-11-10
11modified: 2023-10-23
12tags:
13 - attack.privilege-escalation
14 - attack.t1068
15 - cve.2022-41120
16 - detection.emerging-threats
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection:
22 ParentImage|endswith:
23 - '\Sysmon.exe'
24 - '\Sysmon64.exe'
25 filter_main_generic:
26 Image|contains:
27 - ':\Windows\Sysmon.exe'
28 - ':\Windows\Sysmon64.exe'
29 - ':\Windows\System32\conhost.exe'
30 - ':\Windows\System32\WerFault.exe' # When Sysmon crashes
31 - ':\Windows\System32\WerFaultSecure.exe' # When Sysmon crashes
32 - ':\Windows\System32\wevtutil.exe'
33 - ':\Windows\SysWOW64\wevtutil.exe'
34 - '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
35 filter_main_null:
36 Image: null
37 condition: selection and not 1 of filter_main_*
38falsepositives:
39 - Unknown
40level: high
References
Related rules
- Exploiting CVE-2019-1388
- Exploiting SetupComplete.cmd CVE-2019-1378
- HackTool - SysmonEOP Execution
- Potential CVE-2021-41379 Exploitation Attempt
- Potential SystemNightmare Exploitation Attempt