Script Event Consumer Spawning Process

 1title: Script Event Consumer Spawning Process
 2id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
 3status: test
 4description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
 5references:
 6    - https://redcanary.com/blog/child-processes/
 7    - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
 8author: Sittikorn S
 9date: 2021-06-21
10modified: 2022-07-14
11tags:
12    - attack.execution
13    - attack.t1047
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        ParentImage|endswith: '\scrcons.exe'
20        Image|endswith:
21            - '\svchost.exe'
22            - '\dllhost.exe'
23            - '\powershell.exe'
24            - '\pwsh.exe'
25            - '\wscript.exe'
26            - '\cscript.exe'
27            - '\schtasks.exe'
28            - '\regsvr32.exe'
29            - '\mshta.exe'
30            - '\rundll32.exe'
31            - '\msiexec.exe'
32            - '\msbuild.exe'
33    condition: selection
34fields:
35    - CommandLine
36    - ParentCommandLine
37falsepositives:
38    - Unknown
39level: high

References

• Diary of a Detection Engineer: Babysitting child processes

  

  Baseline knowledge of common executables—such as whether they normally spawn child processes—is key to detecting malicious behavior.

  
  Read More

• Palo Alto Networks documentation portal

  

  Loading application... Cortex XSIAM Cortex XDR Cortex XSOAR Cortex Xpanse Cortex Developer Docs Pan.Dev PANW TechDocs Customer Support Portal KnowledgeBase LIVEcommunity Contact us

  
  Read More

Related rules

• Application Removed Via Wmic.EXE
• Application Terminated Via Wmic.EXE
• Blue Mockingbird
• Blue Mockingbird - Registry
• Computer System Reconnaissance Via Wmic.EXE