Parent in Public Folder Suspicious Process

Oct 17, 2023 · attack.defense_evasion attack.execution attack.t1564 attack.t1059 ·

This rule detects suspicious processes with parent images located in the C:\Users\Public folder

Sigma rule (View on GitHub)

 1title: Parent in Public Folder Suspicious Process
 2id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a
 3status: test
 4description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder
 5references:
 6    - https://redcanary.com/blog/blackbyte-ransomware/
 7author: Florian Roth (Nextron Systems)
 8date: 2022/02/25
 9modified: 2022/11/18
10tags:
11    - attack.defense_evasion
12    - attack.execution
13    - attack.t1564
14    - attack.t1059
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        ParentImage|startswith: 'C:\Users\Public\'
21        CommandLine|contains:
22            - 'powershell'
23            - 'cmd.exe /c '
24            - 'cmd.exe /r '
25            - 'cmd.exe /k '
26            - 'cmd /c '
27            - 'cmd /r '
28            - 'cmd /k '
29            - 'wscript.exe'
30            - 'cscript.exe'
31            - 'bitsadmin'
32            - 'certutil'
33            - 'mshta.exe'
34    condition: selection
35fields:
36    - ComputerName
37    - User
38    - CommandLine
39falsepositives:
40    - Unknown
41level: high

References

ProxyShell exploitation leads to BlackByte ransomware - Red Canary

BlackByte ransomware leverages ProxyShell Microsoft Exchange vulnerabilities for initial access and Cobalt Strike for lateral movement.

Read More

Parent in Public Folder Suspicious Process

Sigma rule (View on GitHub)

References

ProxyShell exploitation leads to BlackByte ransomware - Red Canary

Related rules