MSI Spawned Cmd and Powershell Spawned Processes

calendar Apr 21, 2023 · attack.privilege_escalation attack.t1548.002  ·
Share on: linkedin copy

This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes

Sigma rule (View on GitHub)

 1title: MSI Spawned Cmd and Powershell Spawned Processes
 2id: 38cf8340-461b-4857-bf99-23a41f772b18
 3description: This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes
 4status: unsupported
 5author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 6date: 2020/10/13
 7references:
 8    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
 9    - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
10tags:
11    - attack.privilege_escalation
12    - attack.t1548.002
13logsource:
14    product: windows
15    category: process_creation
16    definition: Works only if  Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section
17detection:
18    parent_image:
19        ParentImage|endswith:
20            - '\cmd.exe'
21            - '\powershell.exe'
22    parent_of_parent_image:
23        ParentOfParentImage|contains|all:
24            - '\Windows\Installer\'
25            - 'msi'
26        ParentOfParentImage|endswith:
27            - 'tmp'
28    condition: parent_image and parent_of_parent_image
29fields:
30    - ParentImage
31    - ParentOfParentImage
32falsepositives:
33    - Unknown
34level: high
35enrichment:
36    - EN_0001_cache_sysmon_event_id_1_info                # http://bit.ly/314zc6x
37    - EN_0002_enrich_sysmon_event_id_1_with_parent_info   # http://bit.ly/2KmSC0l

References

  • ÿØÿàJFIFÿâICC_PROFILE lcmsmntrRGB XYZ Ü)9acspAPPLöÖÓ-lcms descü^cprt\ wtpthbkpt|rXYZ�gXYZ¤bXYZ¸rTRCÌ@gTRCÌ@bTRCÌ@descc2textFBXYZ öÖÓ-XYZ 3¤XYZ o¢8õ�XYZ b™·…ÚX...


    Read More

  • Hunting for Privilege Escalation in Windows

    Hunting for Privilege Escalation in Windows - Download as a PDF or view online for free


    Read More

Related rules

to-top