Rules Contributing to Parent/Child-based Suspicious Process Creation Alert

The following rules are used to identify suspicious activity with parent/child relationships associated with process creation. Any one or more of these will trigger the Parent-Child Suspicious Process Creation Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

MSHTA Spawning Windows Shell

It is suspicious for the mshta process to launch a Windows command line executable.

New Lolbin Process by Office Applications

A Microsoft Office application that launches a new LOLBin process is very suspicious.

Droppers Exploiting CVE-2017-11882

This is indicative an attempt to exploit vulnerabilities described in CVE-2017-11882, in which exploits often start EQNEDT32.EXE and other sub-processes such as mshta.exe.

Exploit for CVE-2017-8759

As described in CVE-2017-8759, launch of csc.exe from Winword may be an exploit attempt.

Suspicious Shells Spawn by WinRM

A WinRM host process that launches a shell is suspicious.

Suspicious Shells Spawned by Java

A Java host process that launches certain child processes, particularly a shell process, is suspicious and may indicate exploitation such as log4j.

WMI Backdoor Exchange Transport Agent

This indicates that a WMI event filter has been used to create a backdoor in an Exchange Transport Agent.

Exploit for CVE-2017-0261

Launch of FLTLDR.exe from Winword is uncommon and indicative of exploits described in CVE-2017-0261 and CVE-2017-0262.

Exploited CVE-2020-10189 Zoho ManageEngine

This is indicative of CVE-2020-10189 which describes exploitation of Zoho ManageEngine Desktop Central - Java Deserialization.

Microsoft Office Product Spawning Windows Shell

It is suspicious for a Microsoft Office application to launch a Windows command and scripting interpreter executable.

Suspicious Parent of Csc.exe

It is considered suspicious when certain parent processes (such as wscript or mshta) have launched cwc.exe.

MSHTA Spawned by SVCHOST

This is indicative of LethalHTA (a lateral movement technique).

Suspicious HWP Sub Processes

Certain sub-processes of the Hangul Word Processor (Hanword) application may indicate an exploitation attempt.

Time Travel Debugging Utility Usage

Use of the Time Travel Debugging Utility (tttracer.exe) is suspicious since adversaries can use it to run malicious processes and dump processes, such as lsass.exe.

CMSTP Execution Process Creation

This is an indicator of an attempt to use Microsoft Connection Manager Profile to bypass UAC.

Winnti Malware HK University Campaign

This is a characteristic of Winnti malware as reported in a Dec/Jan 2020 campaign against Hong Kong universities.

Shells Spawned by Web Servers

A web server process that runs a shell process indicates a possible placement of a web shell for malicious use.

Sdclt Child Processes

The sdclt process creating a child process indicates a possible attempt to bypass UAC.

LOLBins Process Creation with WmiPrvse

A LOLBin process created by wmiprvse is suspicious.

MMC Spawning Windows Shell

It is suspicious for MMC to launch a Windows command-line executable.

Suspicious Shells Spawn by Java Utility Keytool

It is suspicious for the Java utility keytool process to launch a shell and indicates potential exploitations, such as adselfservice.

UAC Bypass via Windows Event Viewer

A UAC bypass attempt to run code with elevated permissions may be indicated when eventvwr.exe launches mmc.exe or WerFault.exe.

Malicious PE Execution by Microsoft Visual Studio Debugger

The MS VS Just-In-Time Debugger (vsjitdebugger.exe), which is a signed/verified binary, can be exploited to launch malicious code.

CVE-2021-26857 Exchange Exploitation

The CVE-2021-26857 vulnerability is indicated when abnormal subprocesses are launched from Microsoft Exchange Server’s Unified Messaging service.

MS Office Product Spawning Exe in User Dir

It is suspicious for a Microsoft Office application to launch an executable in the Users directory.

Execution via stordiag.exe

The stordiag.exe process launch processes such as systeminfo.exe from a non-standard path is suspicious.

Always Install Elevated MSI Spawned Cmd And Powershell

A Windows Installer service that launches a command-line shell or PowerShell is considered suspicious.

Wsreset UAC Bypass

The Wsreset.exe tool can be used to reset the Windows Store to bypass UAC.

DNS RCE CVE-2020-1350

This indicates possible exploitation of a DNS RCE bug, as decribed in CVE-2020-1350.

ScreenConnect Backstage Mode Anomaly

This indicates the use of Backstage mode of the ScreenConnect client, which is suspicious.

Suspicious LSASS Process Clone

This is a suspicious LSASS process clone, which could be a sign of process dumping activity.

Visual Basic Command Line Compiler Usage

Use of vbc.exe with child process cvtres.exe (Windows Resource to Object Converter) should not be seen in an enterprise environment.

Suspicious Service Run-time Directory

The services or svchost process running in a non-standard directory is suspicious.

Mshta Spawning Windows Shell

The mshta.exe process launching a command shell process is suspicious.

Bypass UAC via Fodhelper.exe

This could indicate the use of Fodhelper.exe to bypass User Account Control. Adversaries may use this technique to run privileged processes.

Suspicious Serv-U Process Pattern

Certain child processes launched by Serve-U.exe indicate possible exploitation.

HTML Help Shell Spawn

It is a suspicious a child process of the Microsoft HTML Help system.

Regedit as Trusted Installer

Running the regedit process as a TrustedInstaller is suspicious.

Script Event Consumer Spawning Process

The scrcons.exe process launching PowerShell or other uncommon processes is suspicious.

WMI Persistence - Script Event Consumer

A persistent scrcons.exe child process indicates a WMI backdoor may have been created.

Suspicious Svchost Process

Launch of svchost.exe from certain parent processes is suspicious.

Exploit for CVE-2015-1641

Launch of MicroScMgmt.exe from Winword is uncommon and indicative of exploits described in CVE-2015-1641.

TA505 Dropper Load Pattern

Loading of the mshta process by the wmiprvse process is indicative of TA505 malicious documents.

Execution via WorkFolders.exe

It is suspicious for WorkFolders.exe to run an arbitrary control.exe.

Microsoft Outlook Product Spawning Windows Shell

It is suspicious for Microsoft Outlook to start a Windows command and scripting interpreter executable.

Bypass UAC via WSReset.exe

This could indicate the use of WSReset.exe to bypass User Account Control. Adversaries may use this technique to run privileged processes.

Remote PowerShell Session Host Process (WinRM)

Remote PowerShell sessions may be suspicious.

Emissary Panda Malware SLLauncher

This indicates running of DLL side-loading malware which is used by the threat group Emissary Panda, also known as APT27.

Suspicious JAVA Child Process

This may indicate an attempt to run a malicious JAR file or an attempt to exploit a JAVA-specific vulnerability.

Suspicious SolarWinds Child Process

A SolarWinds process that launches a child process may indicate an attempt to run malicious programs.

Execution via MSSQL xp_cmdshell Stored Procedure

Use of MSSQL to run a stored procedure with xp_cmdshell, disabled by default, indicates a user may be attempting to elevate their privileges.

Process Activity via Compiled HTML File

Compiled HTML files (.chm), commonly distributed as help systems, have the capability of concealing malicious code and delivering to a victim system. It is suspicious when the runtime program for .chm files (hh.exe) launches other certain processes (such as a command shell).

Signed Proxy Execution via MS WorkFolders

Use of Windows Work Folders to run a control.exe file in the current working directory is indicative of potential malicious activity.

Microsoft Exchange Server UM Spawning Suspicious Processes

The CVE-2021-26857 vulnerability may be indicated when Exchange Server UM processes launch unexpected child processes.

Unusual Parent-Child Relationship

A Windows program run from an unexpected parent process could indicate masquerading or other strange activity on a system.

Suspicious Process from Conhost

A suspicious Conhost child process may indicate code injection activity.

Suspicious Zoom Child Process

Launch of Zoom from a command shell may indicate an attempt to run Zoom undetected.

Unusual Parent Process for cmd.exe

Launching of cmd.exe from an unusual parent process is suspicious.

Suspicious MS Office Child Process

Certain child processes being launched from MS Office applications or documents with macros are indicative of malicious activity.

Microsoft Build Engine Started by a System Process

It is unusual for Explorer or the WMI (Windows Management Instrumentation) subystem to launch MSBuild, the Microsoft Build Engine.

Microsoft Build Engine Started by an Office Application

Launch of the Microsoft Build Engine from an Office application is unusual and may indicate the associated document has run a malicious script payload.

Command Execution via SolarWinds Process

A SolarWinds process that launches a command-line call or PowerShell command is considered suspicious.

Suspicious .NET Code Compilation

This may indicate suspicious .NET or Visual Basic compilation of downloaded code.

Conhost Spawned By Suspicious Parent Process

The Console Window Host (conhost.exe) process being launched by a suspicious parent process is indicative of code injection.

Unusual Child Process of dns.exe

Such an unexpected process being launched from dns.exe may indicate activity related to running of remote code or other forms of exploitation.

Script Process Child of Common Web Processes

A parent web process, such as httpd.exe, that runs a script process, such as powershell.exe, is suspicious and indicative of possible attempts for remote shell access.

Suspicious Endpoint Security Parent Process

A suspicious Endpoint Security parent process was detected, which may indicate process hollowing or other form of code injection.