Suspicious Process Parents
Detects suspicious parent processes that should not have any children or should only have a single possible child program
Sigma rule (View on GitHub)
1title: Suspicious Process Parents
2id: cbec226f-63d9-4eca-9f52-dfb6652f24df
3status: test
4description: Detects suspicious parent processes that should not have any children or should only have a single possible child program
5references:
6 - https://twitter.com/x86matthew/status/1505476263464607744?s=12
7 - https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
8author: Florian Roth (Nextron Systems)
9date: 2022-03-21
10modified: 2022-09-08
11tags:
12 - attack.defense-evasion
13 - attack.t1036
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith:
20 - '\minesweeper.exe'
21 - '\winver.exe'
22 - '\bitsadmin.exe'
23 selection_special:
24 ParentImage|endswith:
25 - '\csrss.exe'
26 - '\certutil.exe'
27 # - '\schtasks.exe'
28 - '\eventvwr.exe'
29 - '\calc.exe'
30 - '\notepad.exe'
31 filter_special:
32 Image|endswith:
33 - '\WerFault.exe'
34 - '\wermgr.exe'
35 - '\conhost.exe' # csrss.exe, certutil.exe
36 - '\mmc.exe' # eventvwr.exe
37 - '\win32calc.exe' # calc.exe
38 - '\notepad.exe'
39 filter_null:
40 Image: null
41 condition: selection or ( selection_special and not 1 of filter_* )
42falsepositives:
43 - Unknown
44level: high
References
Related rules
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File
- HackTool - XORDump Execution