Rules Contributing to Windows Suspicious Process Creation Alert

The following rules are used to identify suspicious activity associated with process creation. Any one or more of these will trigger the Suspicious Process Creation Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Powershell Process Created by Internet Explorer

A Powershell process has been created by Internet Explorer. This can indicate a malicious website has successfully launched an exploit.

Rule ID

process_creation_image_1

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': 'iexplore.exe'}, 'selection4': {'Image|contains': 'powershell.exe'}, 'condition': 'selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1059.001

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Powershell Process Created by Office PowerPoint

A Powershell process has been created by Microsoft Office PowerPoint. This can indicate a malicious document containing a macro or an exploit has been opened by the user.

Rule ID

process_creation_image_2

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': 'POWERPNT.EXE'}, 'selection4': {'Image|contains': 'powershell.exe'}, 'condition': 'selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1059.001

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Executable with Suspicious Extension

An executable was launched with a well-known extension preceding the executable extension. This could be an indication that a user was tricked into executing a malicious program.

Rule ID

process_creation_image_5

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|re': '\\.(jpeg|jpg|png|gif|tiff|ico|zip|rar|pdf)\\.(exe|msi|scr|hta|bat|hta)$'}, 'selection4': {'CurrentDirectory|re': '(?:\\\\Program Files(?:\\(x86\\))?|\\\\PROGRA~(?:1|2))'}, 'condition': 'selection2 and selection3 and not selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1036

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Process created by dbgsrv debugger

A known signed debugger software has been detected creating a remote process. This could be used by an attacker trying to bypass whitelisted applications.

Rule ID

process_creation_image_6

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\dbgsrv.exe'}, 'selection4': {'ParentCommandLine|contains': 'clicon='}, 'selection5': {'ParentCommandLine|contains': 'port='}, 'condition': 'selection2 and selection3 and selection4 and selection5'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1218

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Powershell Process Created by Office Word

A Powershell process has been created by Microsoft Office Word. This can indicate a malicious document containing a macro or an exploit has been opened by the user.

Rule ID

process_creation_image_8

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': 'WINWORD.EXE'}, 'selection4': {'Image|contains': 'powershell.exe'}, 'condition': 'selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1059.001

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Java Process Spawning Scripting Process

A suspicious process has been created by Java Software. This could be an indication of malicious activity.

Rule ID

process_creation_image_10

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|re': '\\\\java[w]?\\.exe'}, 'selection4': {'Image|re': '(?:powershell|wscript|cscript|mshta)\\.exe'}, 'condition': 'selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1216

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Powershell Process Created by webserver process

A webserver process has created a Powershell session. This could be the result of a successful exploitation of the webserver or the installation of a webshell.

Rule ID

process_creation_image_11

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'powershell.exe'}, 'selection4': {'ParentImage|contains': 'w3wp.exe'}, 'selection5': {'ParentImage|contains': 'httpd.exe'}, 'selection6': {'ParentImage|contains': 'tomcat6.exe'}, 'selection7': {'ParentImage|contains': 'nginx.exe'}, 'selection8': {'ParentImage|contains': 'php-cgi.exe'}, 'selection9': {'ParentImage|contains': 'tomcat.exe'}, 'condition': 'selection2 and selection3 and (selection4 or selection5 or selection6 or selection7 or selection8 or selection9)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1190

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Process Execution Using pcwutl.dll

A process has been launched using the pcwutl.dll library. This can indicate an attacker is trying to bypass whitelisting technologies.

Rule ID

process_creation_image_12

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\rundll32.exe'}, 'selection4': {'ParentCommandLine|contains': 'pcwutl.dll'}, 'condition': 'selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1218.011

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Windows Hacking Tool Detected

A common hacking tool was detected being used on this machine. While hacking tools can be used for System diagnostics during routine maintenance it is also a common indicator of malware performing additional reconnaissance or privilege escalation.

Rule ID

process_creation_image_13

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|re': '\\\\(?:(?:(?:win32dd|win64dd|wce|mailpv|rdpv|logreader|netpass|iepv|routerpass|pstpass|vncpass|mspass)\\.exe)|WebBrowserPassView|VNCPassView|Cachedump|Fgdump|gsecdump|Lslsass|mimikatz|pwdump|getlsasrvaddr|timestomp|BulletsPassView|WebBrowserPassView|WirelessKeyView|Chromepass|dialupass|lookpass|Fluxay5Beta1|pstpassword|OperaPassView|routerpassview|PasswordFox)'}, 'condition': 'selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1003

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Executable launched using Windows PresentationHost tool

Windows Presentation Foundation Host (PresentationHost.exe) enables applications to be hosted in compatible browsers. This tool can bypass code integrity enforcement in Windows Defender Application Control.

Rule ID

process_creation_image_14

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\PresentationHost.exe'}, 'selection4': {'Image|re': '\\\\(?:iexplore|chrome|firefox)\\.exe'}, 'condition': 'selection2 and selection3 and not selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1218

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Executable Launched from System Volume Information

Running executables from the System Volume Information folder is a common technique used by malware in order to hide itself. This could be an indication of malicious activity.

Rule ID

process_creation_image_15

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': ':\\System Volume Information\\'}, 'condition': 'selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1036

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Powershell Process Created by Office Excel

A Powershell process has been created by Microsoft Office Excel. This can indicate a malicious document containing a macro or an exploit has been opened by the user.

Rule ID

process_creation_image_16

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': 'EXCEL.EXE'}, 'selection4': {'Image|contains': 'powershell.exe'}, 'condition': 'selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1059.001

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Detected scripting process spawned by WinRAR

A scripting process executed with wscript.exe, cscript.exe or mshta.exe was directly executed from WinRAR. This behavior is commonly executed by packed malware.

Rule ID

process_creation_image_17

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\WinRAR.exe'}, 'selection4': {'Image|re': '\\\\(wscript|cscript|mshta)\\.exe$'}, 'condition': 'selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1059

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

RDP process spawning a suspicious process

An unauthenticated attacker could connect to the target system using RDP and send specially crafted requests. This vulnerability could execute arbitrary code on the target system.

Rule ID

process_creation_image_18

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\svchost.exe'}, 'selection4': {'ParentCommandLine|contains': 'svchost.exe -k termsvcs'}, 'selection5': {'Image|contains': '\\rdpclip.exe'}, 'condition': 'selection2 and selection3 and selection4 and not selection5'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1210

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Windows UAC bypass - UACME tool

User Account Control Bypass activity was detected. This can be due to either a regular operation or because an attacker is trying to escalate privileges.

Rule ID

process_creation_image_19

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\dism.exe'}, 'selection4': {'ParentCommandLine|contains': '.xml'}, 'selection5': {'Image|re': '\\\\appdata\\\\.*\\\\dismhost\\.exe'}, 'selection6': {'Image|contains': '\\wusa.exe'}, 'selection7': {'CommandLine|contains': '/quiet'}, 'selection8': {'ParentImage|contains': '\\explorer.exe'}, 'selection10': {'ParentImage|contains': 'dccw.exe'}, 'selection11': {'ParentImage|contains': '\\slui.exe'}, 'condition': 'selection2 and ((selection3 and selection4 and not selection5) or (selection6 and selection7 and not selection8) or selection10 or selection11)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1548.002

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

MS Exchange transport agent backdoor

Transport agents let you install custom software on an Exchange server. This could be used by malware to gain persistence and install backdoors.

Rule ID

process_creation_image_20

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\EdgeTransport.exe'}, 'condition': 'selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1129

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Executable launched using Synaptics Touchpad Enhancements tool

Synaptics Touchpad Enhancements utility allows you to run binaries in the system. This tool can bypass code integrity enforcement in Windows Defender Application Control.

Rule ID

process_creation_image_21

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\SynTPEnh.exe'}, 'selection4': {'ParentCommandLine|contains': '/SHELLEXEC'}, 'selection5': {'Image|contains': '\\SynTPHelper.exe'}, 'selection6': {'Image|contains': '\\WerFault.exe'}, 'condition': 'selection2 and selection3 and selection4 and not (selection5 or selection6)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1218

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

SharPyShell Process Execution Detected

SharPyShell is a known hacking tool that is able to deploy a shell into the ASP.NET server. This shell can be controlled remotely from a malicious server. A process with these characteristics has been detected, what is an indicator of compromise by SharPyShell.

Rule ID

process_creation_image_22

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'DomainName': 'IIS APPPOOL'}, 'selection4': {'SourceUserName': 'sharpy'}, 'condition': 'selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1505.003

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

User Privilege Escalation

A privilege escalation behavior has been detected, it is not common to run a process as SYSTEM in user's directory. This could be an indication of malicious activity.

Rule ID

process_creation_image_23

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'SourceUserName': 'SYSTEM'}, 'selection4': {'Image|contains': '\\Users\\'}, 'selection5': {'SourceUserName': ''}, 'condition': 'selection2 and selection3 and selection4 and not selection5'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1574

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Suspicious Process Created by mshta.exe

A suspicious process process has been created by mshta.exe. This can indicate an attacker is using built-in Windows functionality to perform malicious activity.

Rule ID

process_creation_image_24

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\mshta.exe'}, 'selection4': {'Image|re': '\\\\(?:powershell|(?:w|c)script|cmd)\\.exe'}, 'selection5': {'CurrentDirectory|re': '(?:\\\\Program Files(?:\\(x86\\))?|\\\\PROGRA~(?:1|2))'}, 'condition': 'selection2 and selection3 and selection4 and not selection5'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1218.005

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Java Process Spawning WMIC

The wmic.exe process was executed by Java Software. This could be an indication of malicious activity.

Rule ID

process_creation_image_25

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|re': '\\\\java[w]?\\.exe'}, 'selection4': {'Image|contains': '\\wmic.exe'}, 'condition': 'selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1047

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Process Spawning Fodhelper

A process has spawned Fodhelper.exe. There is a known UAC bypass that can be used to escalate privileges.

Rule ID

process_creation_image_26

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|re': '\\\\(?:powershell|(?:w|c)script|cmd)\\.exe'}, 'selection4': {'ParentImage|contains': '\\fodhelper.exe'}, 'condition': 'selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1548.002

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Executable Launched from Recycle Bin

Running executables from the Recycle Bin folder is a common technique used by malware in order to hide itself. This could be an indication of malicious activity.

Rule ID

process_creation_image_28

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': ':\\$Recycle.Bin\\'}, 'selection4': {'Image|contains': ':\\Recycler\\'}, 'condition': 'selection2 and (selection3 or selection4)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1036

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Suspicious Process Created by Notepad or Calculator

A potentially suspicious process was started by either Notepad or Calculator. This could be the result of malicious file being opened by the user or a proof-of-concept being tested.

Rule ID

process_creation_image_31

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\NOTEPAD.EXE'}, 'selection4': {'Image|re': '\\\\(?:notepad|ctfmon|Microsoft\\.Uev\\.SyncController)\\.exe'}, 'selection5': {'CommandLine|contains': '\\DRIVERS\\'}, 'selection6': {'ParentImage|contains': '\\CALC.EXE'}, 'selection7': {'Image|contains': 'CALC.EXE'}, 'selection8': {'Image|contains': ':\\Program Files'}, 'selection9': {'Image|contains': '":\\Windows\\splwow64.exe"'}, 'condition': 'selection2 and ((selection3 and not (selection4 or selection5)) or (selection6 and not selection7)) and not (selection8 or selection9)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1203

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Suspicious Process Created by Microsoft Office Application

A potentially suspicious process was started by a Microsoft Office application. This can indicate a malicious document containing a macro or an exploit has been opened by the user.

Rule ID

process_creation_image_32

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|re': '(?:winword|excel|powerpnt|msaccess|infopath)\\.exe'}, 'selection6': {'Image|re': '(?:cmd|svchost|wscript|notepad|rundll32|schtasks|ntvdm|bitsadmin|msiexec|regsvr32|certutil|mshta|[A-Z]:\\\\Users\\\\.*)\\.exe$'}, 'selection4': {'Image|contains': '\\AppData\\'}, 'selection5': {'CommandLine|contains': '\\DRIVERS\\'}, 'condition': 'selection2 and selection3 and selection6 and not (selection4 or selection5)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1203

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Windows mofcomp with suspicious file extension

The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers could use this tool to compile malicious WMI classes.

Rule ID

process_creation_image_33

Query

{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image': '\\mofcomp.exe'}, 'selection5': {'CommandLine|re': '\\.mof'}, 'condition': 'selection2 and selection3 and not selection5'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1047

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A