Parent in Public Folder Suspicious Process

calendarMar 5, 2023  ยท
Share on: linkedincopy

This rule detects suspicious processes with parent images located in the C:\Users\Public folder

Sigma rule (View on GitHub)

 1title: Parent in Public Folder Suspicious Process
 2id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a
 3status: experimental
 4description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder
 5references:
 6    - https://redcanary.com/blog/blackbyte-ransomware/
 7author: Florian Roth (Nextron Systems)
 8date: 2022/02/25
 9modified: 2022/11/18
10logsource:
11    category: process_creation
12    product: windows
13detection:
14    selection:
15        ParentImage|startswith: 'C:\Users\Public\'
16        CommandLine|contains:
17            - 'powershell'
18            - 'cmd.exe /c '
19            - 'cmd.exe /r '
20            - 'cmd.exe /k '
21            - 'cmd /c '
22            - 'cmd /r '
23            - 'cmd /k '
24            - 'wscript.exe'
25            - 'cscript.exe'
26            - 'bitsadmin'
27            - 'certutil'
28            - 'mshta.exe'
29    condition: selection
30fields:
31    - ComputerName
32    - User
33    - CommandLine
34falsepositives:
35    - Unknown
36level: high
to-top