Suspicious Splwow64 Without Params

Aug 12, 2024 · attack.defense-evasion attack.t1202 ·

Detects suspicious Splwow64.exe process without any command line parameters

Sigma rule (View on GitHub)

 1title: Suspicious Splwow64 Without Params
 2id: 1f1a8509-2cbb-44f5-8751-8e1571518ce2
 3status: test
 4description: Detects suspicious Splwow64.exe process without any command line parameters
 5references:
 6    - https://twitter.com/sbousseaden/status/1429401053229891590?s=12
 7author: Florian Roth (Nextron Systems)
 8date: 2021-08-23
 9modified: 2022-12-25
10tags:
11    - attack.defense-evasion
12    - attack.t1202
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\splwow64.exe'
19        CommandLine|endswith: 'splwow64.exe'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

x.com

Read More

Related rules

Custom File Open Handler Executes PowerShell
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
Findstr Launching .lnk File
Indirect Command Execution From Script File Via Bash.EXE
Indirect Inline Command Execution Via Bash.EXE

Suspicious Splwow64 Without Params

Sigma rule (View on GitHub)

References

x.com

Related rules