Windows Processes Suspicious Parent Directory

Detect suspicious parent processes of well-known Windows processes

Sigma rule (View on GitHub)

 1title: Windows Processes Suspicious Parent Directory
 2id: 96036718-71cc-4027-a538-d1587e0006a7
 3status: test
 4description: Detect suspicious parent processes of well-known Windows processes
 5references:
 6    - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
 7    - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
 8    - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
 9author: vburov
10date: 2019/02/23
11modified: 2022/02/14
12tags:
13    - attack.defense_evasion
14    - attack.t1036.003
15    - attack.t1036.005
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Image|endswith:
22            - '\svchost.exe'
23            - '\taskhost.exe'
24            - '\lsm.exe'
25            - '\lsass.exe'
26            - '\services.exe'
27            - '\lsaiso.exe'
28            - '\csrss.exe'
29            - '\wininit.exe'
30            - '\winlogon.exe'
31    filter_sys:
32        - ParentImage|endswith:
33              - '\SavService.exe'
34              - '\ngen.exe'
35        - ParentImage|contains:
36              - '\System32\'
37              - '\SysWOW64\'
38    filter_msmpeng:
39        ParentImage|contains:
40            - '\Windows Defender\'
41            - '\Microsoft Security Client\'
42        ParentImage|endswith: '\MsMpEng.exe'
43    filter_null:
44        - ParentImage: null
45        - ParentImage: '-'
46    condition: selection and not 1 of filter_*
47falsepositives:
48    - Some security products seem to spawn these
49level: low

References

Related rules

to-top