Potentially Suspicious Execution From Parent Process In Public Folder
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Execution From Parent Process In Public Folder
2id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a
3status: test
4description: |
5 Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
6references:
7 - https://redcanary.com/blog/blackbyte-ransomware/
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
9date: 2022-02-25
10modified: 2024-07-12
11tags:
12 - attack.defense-evasion
13 - attack.execution
14 - attack.t1564
15 - attack.t1059
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_parent:
21 ParentImage|contains: ':\Users\Public\'
22 selection_child:
23 - Image|endswith:
24 - '\bitsadmin.exe'
25 - '\certutil.exe'
26 - '\cmd.exe'
27 - '\cscript.exe'
28 - '\mshta.exe'
29 - '\powershell.exe'
30 - '\pwsh.exe'
31 - '\regsvr32.exe'
32 - '\rundll32.exe'
33 - '\wscript.exe'
34 - CommandLine|contains:
35 - 'bitsadmin'
36 - 'certutil'
37 - 'cscript'
38 - 'mshta'
39 - 'powershell'
40 - 'regsvr32'
41 - 'rundll32'
42 - 'wscript'
43 condition: all of selection_*
44falsepositives:
45 - Unknown
46level: high
References
-
BlackByte ransomware leverages ProxyShell Microsoft Exchange vulnerabilities for initial access and Cobalt Strike for lateral movement.
Read More
Related rules
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Install New Package Via Winget Local Manifest
- Payload Decoded and Decrypted via Built-in Utilities
- Potential Arbitrary Command Execution Via FTP.EXE