Script Event Consumer Spawning Process
Detects a suspicious child process of Script Event Consumer (scrcons.exe).
Sigma rule (View on GitHub)
1title: Script Event Consumer Spawning Process
2id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
3status: test
4description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
5references:
6 - https://redcanary.com/blog/child-processes/
7 - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
8author: Sittikorn S
9date: 2021/06/21
10modified: 2022/07/14
11tags:
12 - attack.execution
13 - attack.t1047
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\scrcons.exe'
20 Image|endswith:
21 - '\svchost.exe'
22 - '\dllhost.exe'
23 - '\powershell.exe'
24 - '\pwsh.exe'
25 - '\wscript.exe'
26 - '\cscript.exe'
27 - '\schtasks.exe'
28 - '\regsvr32.exe'
29 - '\mshta.exe'
30 - '\rundll32.exe'
31 - '\msiexec.exe'
32 - '\msbuild.exe'
33 condition: selection
34fields:
35 - CommandLine
36 - ParentCommandLine
37falsepositives:
38 - Unknown
39level: high
References
-
Baseline knowledge of common executables—such as whether they normally spawn child processes—is key to detecting malicious behavior.
Read More -
Loading application... Cortex XSIAM Cortex XDR Cortex XSOAR Cortex Xpanse Cortex Developer Docs Pan.Dev PANW TechDocs Customer Support Portal KnowledgeBase LIVEcommunity Contact us
Read More
Related rules
- WMIC Unquoted Services Path Lookup - PowerShell
- Application Terminated Via Wmic.EXE
- Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
- Suspicious Process Created Via Wmic.EXE
- HackTool - CrackMapExec Execution