Taskmgr as Parent

Mar 5, 2023 · attack.defense_evasion attack.t1036 ·

Share on:

Detects the creation of a process from Windows task manager

Sigma rule (View on GitHub)

 1title: Taskmgr as Parent
 2id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
 3status: test
 4description: Detects the creation of a process from Windows task manager
 5author: Florian Roth (Nextron Systems)
 6date: 2018/03/13
 7modified: 2021/11/27
 8tags:
 9    - attack.defense_evasion
10    - attack.t1036
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection:
16        ParentImage|endswith: '\taskmgr.exe'
17    filter:
18        Image|endswith:
19            - '\resmon.exe'
20            - '\mmc.exe'
21            - '\taskmgr.exe'
22    condition: selection and not filter
23fields:
24    - Image
25    - CommandLine
26    - ParentCommandLine
27falsepositives:
28    - Administrative activity
29level: low

Related rules

Explorer Process Tree Break
PUA - Potential PE Metadata Tamper Using Rcedit
System File Execution Location Anomaly
Taskmgr as LOCAL_SYSTEM
Procdump Execution