Unusual Parent Process For Cmd.EXE

 1title: Unusual Parent Process For Cmd.EXE
 2id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b
 3status: experimental
 4description: Detects suspicious parent process for cmd.exe
 5references:
 6    - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html
 7author: Tim Rauch, Elastic (idea)
 8date: 2022/09/21
 9modified: 2023/12/05
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\cmd.exe'
19        ParentImage|endswith:
20            - '\csrss.exe'
21            - '\ctfmon.exe'
22            - '\dllhost.exe'
23            - '\epad.exe'
24            - '\FlashPlayerUpdateService.exe'
25            - '\GoogleUpdate.exe'
26            - '\jucheck.exe'
27            - '\jusched.exe'
28            - '\LogonUI.exe'
29            - '\lsass.exe'
30            - '\regsvr32.exe'
31            - '\SearchIndexer.exe'
32            - '\SearchProtocolHost.exe'
33            - '\SIHClient.exe'
34            - '\sihost.exe'
35            - '\slui.exe'
36            - '\spoolsv.exe'
37            - '\sppsvc.exe'
38            - '\taskhostw.exe'
39            - '\unsecapp.exe'
40            - '\WerFault.exe'
41            - '\wermgr.exe'
42            - '\wlanext.exe'
43            - '\WUDFHost.exe'
44    condition: selection
45falsepositives:
46    - Unknown
47level: medium