MSI Spawned Cmd and Powershell Spawned Processes
This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes
Sigma rule (View on GitHub)
1title: MSI Spawned Cmd and Powershell Spawned Processes
2id: 38cf8340-461b-4857-bf99-23a41f772b18
3description: This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes
4status: unsupported
5author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
6date: 2020/10/13
7references:
8 - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
9 - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
10tags:
11 - attack.privilege_escalation
12 - attack.t1548.002
13logsource:
14 product: windows
15 category: process_creation
16 definition: Works only if Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section
17detection:
18 parent_image:
19 ParentImage|endswith:
20 - '\cmd.exe'
21 - '\powershell.exe'
22 parent_of_parent_image:
23 ParentOfParentImage|contains|all:
24 - '\Windows\Installer\'
25 - 'msi'
26 ParentOfParentImage|endswith:
27 - 'tmp'
28 condition: parent_image and parent_of_parent_image
29fields:
30 - ParentImage
31 - ParentOfParentImage
32falsepositives:
33 - Unknown
34level: high
35enrichment:
36 - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
37 - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l
References
Related rules
- CMSTP UAC Bypass via COM Object Access
- HackTool - Empire PowerShell UAC Bypass
- Potential UAC Bypass Via Sdclt.EXE
- UAC Bypass Tools Using ComputerDefaults
- Sdclt Child Processes