Rules Contributing to Parent/Child-based Suspicious Process Creation Alert

MSHTA Spawning Windows Shell

It is suspicious for the mshta process to launch a Windows command line executable.

Rule ID

parent_child_1

Query

{'selection': {'ParentImage|endswith': '\\mshta.exe'}, 'selection2': [{'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\sh.exe', '\\bash.exe', '\\reg.exe', '\\regsvr32.exe']}, {'Image|contains': ['\\BITSADMIN']}], 'condition': 'selection and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,03cc0c25-389f-4bf8-b48d-11878079f1ca

Author: Michael Haag

Tactics, Techniques, and Procedures

T1218.005

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/01/16	high	Printer software / driver installations HP software

New Lolbin Process by Office Applications

A Microsoft Office application that launches a new LOLBin process is very suspicious.

More details

Rule ID

parent_child_2

Query

{'selection1': {'Image|endswith': ['\\regsvr32.exe', '\\rundll32.exe', '\\msiexec.exe', '\\mshta.exe', '\\verclsid.exe']}, 'selection2': {'ParentImage|endswith': ['\\winword.exe', '\\excel.exe', '\\powerpnt.exe']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,23daeb52-e6eb-493c-8607-c4f0246cb7d8

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)

Tactics, Techniques, and Procedures

T1047, T1204.002, T1218.010

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/08/23	high	Unknown

Droppers Exploiting CVE-2017-11882

This is indicative an attempt to exploit vulnerabilities described in CVE-2017-11882, in which exploits often start EQNEDT32.EXE and other sub-processes such as mshta.exe.

More details

Rule ID

parent_child_3

Query

{'selection': {'ParentImage|endswith': '\\EQNEDT32.EXE'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,678eb5f4-8597-4be6-8be7-905e4234b53a

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1203, T1204.002, T1566.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2017/11/23	critical	unknown

Exploit for CVE-2017-8759

As described in CVE-2017-8759, launch of csc.exe from Winword may be an exploit attempt.

More details

Rule ID

parent_child_4

Query

{'selection': {'ParentImage|endswith': '\\WINWORD.EXE', 'Image|endswith': '\\csc.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,fdd84c68-a1f6-47c9-9477-920584f94905

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1203, T1204.002, T1566.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2017/09/15	critical	Unknown

Suspicious Shells Spawn by WinRM

A WinRM host process that launches a shell is suspicious.

More details

Rule ID

parent_child_5

Query

{'selection': {'ParentImage': '*\\wsmprovhost.exe', 'Image': ['*\\cmd.exe', '*\\sh.exe', '*\\bash.exe', '*\\powershell.exe', '*\\schtasks.exe', '*\\certutil.exe', '*\\whoami.exe', '*\\bitsadmin.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,5cc2cda8-f261-4d88-a2de-e9e193c86716

Author: Andreas Hunkeler (@Karneades), Markus Neis

Tactics, Techniques, and Procedures

T1190

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/05/20	high	Legitimate WinRM usage

Suspicious Shells Spawned by Java

A Java host process that launches certain child processes, particularly a shell process, is suspicious and may indicate exploitation such as log4j.

More details

Rule ID

parent_child_6

Query

{'selection': {'ParentImage|endswith': '\\java.exe', 'Image|endswith': ['\\sh.exe', '\\bash.exe', '\\powershell.exe', '\\schtasks.exe', '\\certutil.exe', '\\whoami.exe', '\\bitsadmin.exe', '\\wscript.exe', '\\cscript.exe', '\\scrcons.exe', '\\regsvr32.exe', '\\hh.exe', '\\wmic.exe', '\\mshta.exe', '\\rundll32.exe', '\\forfiles.exe', '\\scriptrunner.exe', '\\mftrace.exe', '\\AppVLP.exe', '\\curl.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,0d34ed8b-1c12-4ff2-828c-16fc860b766d

Author: Andreas Hunkeler (@Karneades), Florian Roth

Tactics, Techniques, and Procedures

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/12/17	high	Legitimate calls to system binaries Company specific internal usage

WMI Backdoor Exchange Transport Agent

This indicates that a WMI event filter has been used to create a backdoor in an Exchange Transport Agent.

More details

Rule ID

parent_child_7

Query

{'selection': {'ParentImage|endswith': '\\EdgeTransport.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,797011dc-44f4-4e6f-9f10-a8ceefbe566b

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1546.003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/10/11	critical	Unknown

Exploit for CVE-2017-0261

Launch of FLTLDR.exe from Winword is uncommon and indicative of exploits described in CVE-2017-0261 and CVE-2017-0262.

More details

Rule ID

parent_child_8

Query

{'selection': {'ParentImage|endswith': '\\WINWORD.EXE', 'Image|contains': '\\FLTLDR.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,864403a1-36c9-40a2-a982-4c9a45f7d833

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1203, T1204.002, T1566.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2018/02/22	medium	Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)

Exploited CVE-2020-10189 Zoho ManageEngine

This is indicative of CVE-2020-10189 which describes exploitation of Zoho ManageEngine Desktop Central - Java Deserialization.

More details

Rule ID

parent_child_9

Query

{'selection': {'ParentImage|endswith': 'DesktopCentral_Server\\jre\\bin\\java.exe', 'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\bitsadmin.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,846b866e-2a57-46ee-8e16-85fa92759be7

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1059.001, T1059.003, T1190

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/03/25	critical	Unknown

Microsoft Office Product Spawning Windows Shell

It is suspicious for a Microsoft Office application to launch a Windows command and scripting interpreter executable.

More details

Rule ID

parent_child_10

Query

{'selection': {'ParentImage|endswith': ['\\WINWORD.EXE', '\\EXCEL.EXE', '\\POWERPNT.exe', '\\MSPUB.exe', '\\VISIO.exe', '\\MSACCESS.EXE', '\\EQNEDT32.EXE'], 'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\sh.exe', '\\bash.exe', '\\scrcons.exe', '\\schtasks.exe', '\\regsvr32.exe', '\\hh.exe', '\\wmic.exe', '\\mshta.exe', '\\rundll32.exe', '\\msiexec.exe', '\\forfiles.exe', '\\scriptrunner.exe', '\\mftrace.exe', '\\AppVLP.exe', '\\svchost.exe', '\\msbuild.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,438025f9-5856-4663-83f7-52f878a70a50

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io

Tactics, Techniques, and Procedures

T1204.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2018/04/06	high	unknown

Suspicious Parent of Csc.exe

It is considered suspicious when certain parent processes (such as wscript or mshta) have launched cwc.exe.

More details

Rule ID

parent_child_11

Query

{'selection': {'Image|endswith': '\\csc.exe', 'ParentImage|endswith': ['\\wscript.exe', '\\cscript.exe', '\\mshta.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,b730a276-6b63-41b8-bcf8-55930c8fc6ee

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)

Tactics, Techniques, and Procedures

T1027.004, T1059.005, T1059.007, T1218.005

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/02/11	high	Unknown

MSHTA Spawned by SVCHOST

This is indicative of LethalHTA (a lateral movement technique).

More details

Rule ID

parent_child_12

Query

{'selection': {'ParentImage|endswith': '\\svchost.exe', 'Image|endswith': '\\mshta.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,ed5d72a6-f8f4-479d-ba79-02f6a80d7471

Author: Markus Neis

Tactics, Techniques, and Procedures

T1218.005

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2018/06/07	high	Unknown

Suspicious HWP Sub Processes

Certain sub-processes of the Hangul Word Processor (Hanword) application may indicate an exploitation attempt.

More details

Rule ID

parent_child_13

Query

{'selection': {'ParentImage|endswith': '\\Hwp.exe', 'Image|endswith': '\\gbb.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,023394c4-29d5-46ab-92b8-6a534c6f447b

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1059.003, T1203, T1566.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/10/24	high	Unknown

Time Travel Debugging Utility Usage

Use of the Time Travel Debugging Utility (tttracer.exe) is suspicious since adversaries can use it to run malicious processes and dump processes, such as lsass.exe.

More details

Rule ID

parent_child_14

Query

{'selection': {'ParentImage|endswith': '\\tttracer.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,0b4ae027-2a2d-4b93-8c7e-962caaba5b2a

Author: Ensar Şamil, @sblmsrsn, @oscd_initiative

Tactics, Techniques, and Procedures

T1003.001, T1218

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/06	high	Legitimate usage by software developers/testers

CMSTP Execution Process Creation

This is an indicator of an attempt to use Microsoft Connection Manager Profile to bypass UAC.

More details

Rule ID

parent_child_15

Query

{'selection': {'ParentImage|endswith': '\\cmstp.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,7d4cdc5a-0076-40ca-aac8-f7e714570e47

Author: Nik Seetharaman

Tactics, Techniques, and Procedures

T1218.003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
stable	2018/07/16	high	Legitimate CMSTP use (unlikely in modern enterprise environments)

Winnti Malware HK University Campaign

This is a characteristic of Winnti malware as reported in a Dec/Jan 2020 campaign against Hong Kong universities.

More details

Rule ID

parent_child_16

Query

{'selection2': {'ParentImage|startswith': 'C:\\ProgramData\\DRM', 'Image|endswith': '\\wmplayer.exe'}, 'selection3': {'ParentImage|endswith': '\\Test.exe', 'Image|endswith': '\\wmplayer.exe'}, 'selection4': {'Image': 'C:\\ProgramData\\DRM\\CLR\\CLR.exe'}, 'selection5': {'ParentImage|startswith': 'C:\\ProgramData\\DRM\\Windows', 'Image|endswith': '\\SearchFilterHost.exe'}, 'condition': '1 of selection*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,3121461b-5aa0-4a41-b910-66d25524edbb

Author: Florian Roth (Nextron Systems), Markus Neis

Tactics, Techniques, and Procedures

T1574.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/02/01	critical	Unlikely

Shells Spawned by Web Servers

A web server process that runs a shell process indicates a possible placement of a web shell for malicious use.

More details

Rule ID

parent_child_17

Query

{'selection': {'ParentImage|endswith': ['\\w3wp.exe', '\\httpd.exe', '\\nginx.exe', '\\php-cgi.exe', '\\tomcat.exe', '\\UMWorkerProcess.exe', '\\ws_TomcatService.exe'], 'Image|endswith': ['\\cmd.exe', '\\sh.exe', '\\bash.exe', '\\powershell.exe', '\\bitsadmin.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,8202070f-edeb-4d31-a010-a26c72ac5600

Author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)

Tactics, Techniques, and Procedures

T1190, T1505.003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/01/16	high	Particular web applications may spawn a shell process legitimately

Sdclt Child Processes

The sdclt process creating a child process indicates a possible attempt to bypass UAC.

More details

Rule ID

parent_child_18

Query

{'selection': {'ParentImage|endswith': '\\sdclt.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,da2738f2-fadb-4394-afa7-0a0674885afa

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Tactics, Techniques, and Procedures

T1548.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/05/02	medium	unknown

LOLBins Process Creation with WmiPrvse

A LOLBin process created by wmiprvse is suspicious.

More details

Rule ID

parent_child_19

Query

{'selection1': {'Image|endswith': ['\\regsvr32.exe', '\\rundll32.exe', '\\msiexec.exe', '\\mshta.exe', '\\verclsid.exe']}, 'selection2': {'ParentImage|endswith': '\\wbem\\WmiPrvSE.exe'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,8a582fe2-0882-4b89-a82a-da6b2dc32937

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1047, T1204.002, T1218.010

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/08/23	high	Unknown

MMC Spawning Windows Shell

It is suspicious for MMC to launch a Windows command-line executable.

More details

Rule ID

parent_child_20

Query

{'selection': {'ParentImage|endswith': '\\mmc.exe'}, 'selection2': [{'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\sh.exe', '\\bash.exe', '\\reg.exe', '\\regsvr32.exe']}, {'Image|contains': ['\\BITSADMIN']}], 'condition': 'selection and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,05a2ab7e-ce11-4b63-86db-ab32e763e11d

Author: Karneades, Swisscom CSIRT

Tactics, Techniques, and Procedures

T1021.003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/08/05	high	N/A

Suspicious Shells Spawn by Java Utility Keytool

It is suspicious for the Java utility keytool process to launch a shell and indicates potential exploitations, such as adselfservice.

More details

Rule ID

parent_child_21

Query

{'selection': {'ParentImage|endswith': '\\keytool.exe', 'Image|endswith': ['\\cmd.exe', '\\sh.exe', '\\bash.exe', '\\powershell.exe', '\\schtasks.exe', '\\certutil.exe', '\\whoami.exe', '\\bitsadmin.exe', '\\wscript.exe', '\\cscript.exe', '\\scrcons.exe', '\\regsvr32.exe', '\\hh.exe', '\\wmic.exe', '\\mshta.exe', '\\rundll32.exe', '\\forfiles.exe', '\\scriptrunner.exe', '\\mftrace.exe', '\\AppVLP.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,90fb5e62-ca1f-4e22-b42e-cc521874c938

Author: Andreas Hunkeler (@Karneades)

Tactics, Techniques, and Procedures

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/12/22	high	unknown

UAC Bypass via Windows Event Viewer

A UAC bypass attempt to run code with elevated permissions may be indicated when eventvwr.exe launches mmc.exe or WerFault.exe.

More details

Rule ID

parent_child_22

Query

{'methprocess': {'ParentImage|endswith': '\\eventvwr.exe'}, 'filterprocess': {'Image': ['?:\\Windows\\SysWOW64\\mmc.exe', '?:\\Windows\\System32\\mmc.exe', '?:\\Windows\\SysWOW64\\WerFault.exe', '?:\\Windows\\System32\\WerFault.exe']}, 'condition': 'methprocess and not filterprocess'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,be344333-921d-4c4d-8bb8-e584cf584780

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1548.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2017/03/19	critical	unknown

Malicious PE Execution by Microsoft Visual Studio Debugger

The MS VS Just-In-Time Debugger (vsjitdebugger.exe), which is a signed/verified binary, can be exploited to launch malicious code.

More details

Rule ID

parent_child_23

Query

{'selection': {'ParentImage|endswith': '\\vsjitdebugger.exe'}, 'reduction1': {'Image|endswith': '\\vsimmersiveactivatehelper*.exe'}, 'reduction2': {'Image|endswith': '\\devenv.exe'}, 'condition': 'selection and not (reduction1 or reduction2)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,15c7904e-6ad1-4a45-9b46-5fb25df37fd2

Author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community

Tactics, Techniques, and Procedures

T1218

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/14	medium	the process spawned by vsjitdebugger.exe is uncommon.

CVE-2021-26857 Exchange Exploitation

The CVE-2021-26857 vulnerability is indicated when abnormal subprocesses are launched from Microsoft Exchange Server’s Unified Messaging service.

More details

Rule ID

parent_child_24

Query

{'selection': {'ParentImage|endswith': '\\UMWorkerProcess.exe'}, 'filter': {'Image|endswith': ['\\wermgr.exe', '\\WerFault.exe']}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,cd479ccc-d8f0-4c66-ba7d-e06286f3f887

Author: Bhabesh Raj

Tactics, Techniques, and Procedures

T1203

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
stable	2021/03/03	critical	Unknown

MS Office Product Spawning Exe in User Dir

It is suspicious for a Microsoft Office application to launch an executable in the Users directory.

More details

Rule ID

parent_child_25

Query

{'selection': {'ParentImage|endswith': ['\\WINWORD.EXE', '\\EXCEL.EXE', '\\POWERPNT.exe', '\\MSPUB.exe', '\\VISIO.exe'], 'Image|startswith': 'C:\\users\\', 'Image|endswith': '.exe'}, 'filter': {'Image|endswith': '\\Teams.exe'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,aa3a6f94-890e-4e22-b634-ffdfd54792cc

Author: Jason Lynch

Tactics, Techniques, and Procedures

T1204.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2019/04/02	high	unknown

Execution via stordiag.exe

The stordiag.exe process launch processes such as systeminfo.exe from a non-standard path is suspicious.

More details

Rule ID

parent_child_26

Query

{'selection': {'ParentImage|endswith': '\\stordiag.exe', 'Image|endswith': ['\\schtasks.exe', '\\systeminfo.exe', '\\fltmc.exe']}, 'filter': {'ParentImage|startswith': ['c:\\windows\\system32\\', 'c:\\windows\\syswow64\\']}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,961e0abb-1b1e-4c84-a453-aafe56ad0d34

Author: Austin Songer (@austinsonger)

Tactics, Techniques, and Procedures

T1218

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/10/21	high	Legitimate usage of stordiag.exe.

Always Install Elevated MSI Spawned Cmd And Powershell

A Windows Installer service that launches a command-line shell or PowerShell is considered suspicious.

More details

Rule ID

parent_child_27

Query

{'image': {'Image|endswith': ['\\cmd.exe', '\\powershell.exe']}, 'parent_image': {'ParentImage|contains|all': ['\\Windows\\Installer\\', 'msi'], 'ParentImage|endswith': ['tmp']}, 'condition': 'image and parent_image'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,1e53dd56-8d83-4eb4-a43e-b790a05510aa

Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community

Tactics, Techniques, and Procedures

T1548.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/10/13	medium	Penetration test

Wsreset UAC Bypass

The Wsreset.exe tool can be used to reset the Windows Store to bypass UAC.

More details

Rule ID

parent_child_28

Query

{'selection': {'ParentImage|endswith': ['\\WSreset.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae

Tactics, Techniques, and Procedures

T1548.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/01/30	high	Unknown sub processes of Wsreset.exe

DNS RCE CVE-2020-1350

This indicates possible exploitation of a DNS RCE bug, as decribed in CVE-2020-1350.

More details

Rule ID

parent_child_29

Query

{'selection': {'ParentImage|endswith': '\\System32\\dns.exe'}, 'filter': {'Image|endswith': ['\\System32\\werfault.exe', '\\System32\\conhost.exe', '\\System32\\dnscmd.exe']}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,b5281f31-f9cc-4d0d-95d0-45b91c45b487

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1190, T1569.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/07/15	critical	Unknown but benign sub processes of the Windows DNS service dns.exe

ScreenConnect Backstage Mode Anomaly

This indicates the use of Backstage mode of the ScreenConnect client, which is suspicious.

More details

Rule ID

parent_child_30

Query

{'selection': {'ParentImage|endswith': '\\ScreenConnect.ClientService.exe', 'Image|endswith': ['\\cmd.exe', '\\powershell.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,7b582f1a-b318-4c6a-bf4e-66fe49bf55a5

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1219

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/02/25	high	Case in which administrators are allowed to use ScreenConnect's Backstage mode

Suspicious LSASS Process Clone

This is a suspicious LSASS process clone, which could be a sign of process dumping activity.

More details

Rule ID

parent_child_31

Query

{'selection': {'Image|endswith': '\\Windows\\System32\\lsass.exe', 'ParentImage|endswith': '\\Windows\\System32\\lsass.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,c8da0dfd-4ed0-4b68-962d-13c9c884384e

Author: Florian Roth (Nextron Systems), Samir Bousseaden

Tactics, Techniques, and Procedures

T1003, T1003.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/11/27	critical	Unknown

Visual Basic Command Line Compiler Usage

Use of vbc.exe with child process cvtres.exe (Windows Resource to Object Converter) should not be seen in an enterprise environment.

More details

Rule ID

parent_child_32

Query

{'selection': {'ParentImage|endswith': '\\vbc.exe', 'Image|endswith': '\\cvtres.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,7b10f171-7f04-47c7-9fa2-5be43c76e535

Author: Ensar Şamil, @sblmsrsn, @oscd_initiative

Tactics, Techniques, and Procedures

T1027.004

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/10/07	high	Utilization of this tool should not be seen in enterprise environment

Suspicious Service Run-time Directory

The services or svchost process running in a non-standard directory is suspicious.

More details

Rule ID

parent_child_33

Query

{'selection': {'Image|contains': ['\\Users\\Public\\', '\\$Recycle.bin', '\\Users\\All Users\\', '\\Users\\Default\\', '\\Users\\Contacts\\', '\\Users\\Searches\\', 'C:\\Perflogs\\', '\\config\\systemprofile\\', '\\Windows\\Fonts\\', '\\Windows\\IME\\', '\\Windows\\addins\\'], 'ParentImage|endswith': ['\\services.exe', '\\svchost.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,883faa95-175a-4e22-8181-e5761aeb373c

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1202

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/03/09	high	Unknown

Mshta Spawning Windows Shell

The mshta.exe process launching a command shell process is suspicious.

More details

Rule ID

parent_child_34

Query

{'selection': {'ParentImage|endswith': '\\mshta.exe', 'Image|endswith': ['\\powershell.exe', '\\cmd.exe', '\\WScript.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,772bb24c-8df2-4be0-9157-ae4dfa794037

Tactics, Techniques, and Procedures

T1059.001, T1059.005, T1218

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/06/28	high	Unknown

Bypass UAC via Fodhelper.exe

This could indicate the use of Fodhelper.exe to bypass User Account Control. Adversaries may use this technique to run privileged processes.

More details

Rule ID

parent_child_35

Query

{'selection': {'ParentImage|endswith': '\\fodhelper.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,7f741dcf-fc22-4759-87b4-9ae8376676a2

Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community

Tactics, Techniques, and Procedures

T1548.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/10/24	high	Legitimate use of fodhelper.exe utility by legitimate user

Suspicious Serv-U Process Pattern

Certain child processes launched by Serve-U.exe indicate possible exploitation.

More details

Rule ID

parent_child_36

Query

{'selection': {'ParentImage|endswith': '\\Serv-U.exe', 'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\sh.exe', '\\bash.exe', '\\schtasks.exe', '\\regsvr32.exe', '\\wmic.exe', '\\mshta.exe', '\\rundll32.exe', '\\msiexec.exe', '\\forfiles.exe', '\\scriptrunner.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,58f4ea09-0fc2-4520-ba18-b85c540b0eaf

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1555

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/07/14	critical	Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution

HTML Help Shell Spawn

It is a suspicious a child process of the Microsoft HTML Help system.

More details

Rule ID

parent_child_37

Query

{'selection': {'ParentImage': 'C:\\Windows\\hh.exe', 'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\regsvr32.exe', '\\wmic.exe', '\\rundll32.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,52cad028-0ff0-4854-8f67-d25dfcbc78b4

Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)

Tactics, Techniques, and Procedures

T1047, T1059.001, T1059.003, T1059.005, T1059.007, T1218.001, T1218.010, T1218.011

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/04/01	high	unknown

Regedit as Trusted Installer

Running the regedit process as a TrustedInstaller is suspicious.

More details

Rule ID

parent_child_38

Query

{'selection': {'Image|endswith': '\\regedit.exe', 'ParentImage|endswith': ['\\TrustedInstaller.exe', '\\ProcessHacker.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,883835a7-df45-43e4-bf1d-4268768afda4

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1548

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/05/27	high	Unlikely

Script Event Consumer Spawning Process

The scrcons.exe process launching PowerShell or other uncommon processes is suspicious.

More details

Rule ID

parent_child_39

Query

{'selection': {'ParentImage|endswith': ['\\scrcons.exe'], 'Image|endswith': ['\\svchost.exe', '\\dllhost.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\schtasks.exe', '\\regsvr32.exe', '\\mshta.exe', '\\rundll32.exe', '\\msiexec.exe', '\\msbuild.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,f6d1dd2f-b8ce-40ca-bc23-062efb686b34

Author: Sittikorn S

Tactics, Techniques, and Procedures

T1047

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/06/21	high	unknown

WMI Persistence - Script Event Consumer

A persistent scrcons.exe child process indicates a WMI backdoor may have been created.

More details

Rule ID

parent_child_40

Query

{'selection': {'Image': 'C:\\WINDOWS\\system32\\wbem\\scrcons.exe', 'ParentImage': 'C:\\Windows\\System32\\svchost.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e

Author: Thomas Patzke

Tactics, Techniques, and Procedures

T1546.003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2018/03/07	high	Legitimate event consumers

Suspicious Svchost Process

Launch of svchost.exe from certain parent processes is suspicious.

More details

Rule ID

parent_child_41

Query

{'selection': {'Image|endswith': '\\svchost.exe'}, 'filter': {'ParentImage|endswith': ['\\services.exe', '\\MsMpEng.exe', '\\Mrt.exe', '\\rpcnet.exe', '\\svchost.exe', '\\ngen.exe', '\\TiWorker.exe']}, 'filter_null1': {'ParentImage': None}, 'filter_null2': {'ParentImage': ''}, 'filter_emptysysmon': {'ParentImage': '-'}, 'condition': 'selection and not 1 of filter*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,01d2e2a1-5f09-44f7-9fc1-24faa7479b6d

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1036.005

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2017/08/15	high	Unknown

Exploit for CVE-2015-1641

Launch of MicroScMgmt.exe from Winword is uncommon and indicative of exploits described in CVE-2015-1641.

More details

Rule ID

parent_child_42

Query

{'selection': {'ParentImage|endswith': '\\WINWORD.EXE', 'Image|endswith': '\\MicroScMgmt.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,7993792c-5ce2-4475-a3db-a3a5539827ef

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1036.005

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
stable	2018/02/22	critical	Unknown

TA505 Dropper Load Pattern

Loading of the mshta process by the wmiprvse process is indicative of TA505 malicious documents.

More details

Rule ID

parent_child_43

Query

{'selection': {'Image|endswith': '\\mshta.exe', 'ParentImage|endswith': '\\wmiprvse.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,18cf6cf0-39b0-4c22-9593-e244bdc9a2d4

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1106

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/12/08	critical	unknown

Execution via WorkFolders.exe

It is suspicious for WorkFolders.exe to run an arbitrary control.exe.

More details

Rule ID

parent_child_44

Query

{'selection': {'Image|endswith': '\\control.exe', 'ParentImage|endswith': '\\WorkFolders.exe'}, 'filter': {'Image': 'C:\\Windows\\System32\\control.exe'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation
Requirements: Sysmon ProcessCreation logging must be activated

Rule Source

SigmaHQ,0bbc6369-43e3-453d-9944-cae58821c173

Author: Maxime Thiebaut (@0xThiebaut)

Tactics, Techniques, and Procedures

T1218

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/10/21	high	Legitimate usage of the uncommon Windows Work Folders feature.

Microsoft Outlook Product Spawning Windows Shell

It is suspicious for Microsoft Outlook to start a Windows command and scripting interpreter executable.

More details

Rule ID

parent_child_45

Query

{'selection': {'ParentImage|endswith': '\\OUTLOOK.EXE', 'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\sh.exe', '\\bash.exe', '\\scrcons.exe', '\\schtasks.exe', '\\regsvr32.exe', '\\hh.exe', '\\wmic.exe', '\\mshta.exe', '\\msiexec.exe', '\\forfiles.exe', '\\scriptrunner.exe', '\\mftrace.exe', '\\AppVLP.exe', '\\svchost.exe', '\\msbuild.exe']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,208748f7-881d-47ac-a29c-07ea84bf691d

Author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team

Tactics, Techniques, and Procedures

T1204.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/02/28	high	unknown

Bypass UAC via WSReset.exe

This could indicate the use of WSReset.exe to bypass User Account Control. Adversaries may use this technique to run privileged processes.

More details

Rule ID

parent_child_46

Query

{'selection': {'ParentImage|endswith': '\\wsreset.exe'}, 'filter': {'Image|endswith': '\\conhost.exe'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,d797268e-28a9-49a7-b9a8-2f5039011c5c

Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth

Tactics, Techniques, and Procedures

T1548.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/10/24	high	Unknown

Remote PowerShell Session Host Process (WinRM)

Remote PowerShell sessions may be suspicious.

More details

Rule ID

parent_child_47

Query

{'selection': [{'Image|endswith': '\\wsmprovhost.exe'}, {'ParentImage|endswith': '\\wsmprovhost.exe'}], 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8

Author: Roberto Rodriguez @Cyb3rWard0g

Tactics, Techniques, and Procedures

T1021.006, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2019/09/12	medium	Legitimate usage of remote Powershell, e.g. for monitoring purposes.

Emissary Panda Malware SLLauncher

This indicates running of DLL side-loading malware which is used by the threat group Emissary Panda, also known as APT27.

More details

Rule ID

parent_child_48

Query

{'selection': {'ParentImage|endswith': '\\sllauncher.exe', 'Image|endswith': '\\svchost.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

SigmaHQ,9aa01d62-7667-4d3b-acb8-8cb5103e2014

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1574.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2018/09/03	critical	Unknown

Suspicious JAVA Child Process

This may indicate an attempt to run a malicious JAR file or an attempt to exploit a JAVA-specific vulnerability.

More details

Rule ID

parent_child_49

Query

{'selection1': {'ParentImage|endswith': '/java'}, 'selection2': {'Image|endswith': ['/sh', '/bash', '/dash', '/ksh', '/tcsh', '/zsh', '/curl', '/wget']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Linux Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0002, T1059

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021/01/19	medium	N/A

Suspicious SolarWinds Child Process

A SolarWinds process that launches a child process may indicate an attempt to run malicious programs.

More details

Rule ID

parent_child_50

Query

{'selection1': {'ParentImage|endswith': ['\\SolarWinds.BusinessLayerHost.exe', '\\SolarWinds.BusinessLayerHostx64.exe']}, 'selection2': {'Image|endswith': ['\\APMServiceControl.exe', '\\ExportToPDFCmd.Exe', '\\SolarWinds.Credentials.Orion.WebApi.exe', '\\SolarWinds.Orion.Topology.Calculator.exe', '\\Database-Maint.exe', '\\SolarWinds.Orion.ApiPoller.Service.exe', '\\WerFault.exe', '\\WerMgr.exe']}, 'condition': 'selection1 and (not selection2)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0001, TA0002, T1106, T1195

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/12/14	medium	Trusted SolarWinds child processes, verify process details such as network connections and file writes.

Execution via MSSQL xp_cmdshell Stored Procedure

Use of MSSQL to run a stored procedure with xp_cmdshell, disabled by default, indicates a user may be attempting to elevate their privileges.

More details

Rule ID

parent_child_51

Query

{'selection1': {'Image|endswith': '\\cmd.exe'}, 'selection2': {'ParentImage|endswith': '\\sqlservr.exe'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0002, T1059

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/08/14	high	N/A

Process Activity via Compiled HTML File

Compiled HTML files (.chm), commonly distributed as help systems, have the capability of concealing malicious code and delivering to a victim system. It is suspicious when the runtime program for .chm files (hh.exe) launches other certain processes (such as a command shell).

More details

Rule ID

parent_child_52

Query

{'selection1': {'ParentImage|endswith': '\\hh.exe'}, 'selection2': {'Image|endswith': ['\\mshta.exe', '\\cmd.exe', '\\powershell.exe', '\\pwsh.exe', '\\powershell_ise.exe', '\\cscript.exe', '\\wscript.exe']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0002, TA0005, T1204, T1218

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/02/18	medium	The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code.

Signed Proxy Execution via MS WorkFolders

Use of Windows Work Folders to run a control.exe file in the current working directory is indicative of potential malicious activity.

More details

Rule ID

parent_child_53

Query

{'selection1': {'Image|endswith': '\\control.exe'}, 'selection2': {'ParentImage|endswith': '\\WorkFolders.exe'}, 'selection3': {'Image': ['?:\\Windows\\System32\\control.exe', '?:\\Windows\\SysWOW64\\control.exe']}, 'condition': 'selection1 and selection2 and (not selection3)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1218

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2022/03/02	medium	N/A

Microsoft Exchange Server UM Spawning Suspicious Processes

The CVE-2021-26857 vulnerability may be indicated when Exchange Server UM processes launch unexpected child processes.

More details

Rule ID

parent_child_54

Query

{'selection1': {'ParentImage|endswith': ['\\UMService.exe', '\\UMWorkerProcess.exe']}, 'selection2': {'Image|endswith': ['\\werfault.exe', '\\wermgr.exe']}, 'condition': 'selection1 and (not selection2)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0001, T1190

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021/03/04	medium	Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule.

Unusual Parent-Child Relationship

A Windows program run from an unexpected parent process could indicate masquerading or other strange activity on a system.

More details

Rule ID

parent_child_55

Query

{'selection1': {'Image|endswith': '\\autochk.exe'}, 'selection2': {'ParentImage|endswith': '\\smss.exe'}, 'selection3': {'Image|endswith': ['\\fontdrvhost.exe', '\\dwm.exe']}, 'selection4': {'ParentImage|endswith': ['\\wininit.exe', '\\winlogon.exe']}, 'selection5': {'Image|endswith': ['\\consent.exe', '\\RuntimeBroker.exe', '\\TiWorker.exe']}, 'selection6': {'ParentImage|endswith': '\\svchost.exe'}, 'selection7': {'Image|endswith': '\\SearchIndexer.exe'}, 'selection8': {'ParentImage|endswith': '\\services.exe'}, 'selection9': {'Image|endswith': '\\SearchProtocolHost.exe'}, 'selection10': {'ParentImage|endswith': ['\\SearchIndexer.exe', '\\dllhost.exe']}, 'selection11': {'Image|endswith': '\\dllhost.exe'}, 'selection12': {'ParentImage|endswith': ['\\services.exe', '\\svchost.exe']}, 'selection13': {'Image|endswith': '\\smss.exe'}, 'selection14': {'ParentImage|endswith': ['\\System', '\\smss.exe']}, 'selection15': {'Image|endswith': '\\csrss.exe'}, 'selection16': {'ParentImage|endswith': ['\\smss.exe', '\\svchost.exe']}, 'selection17': {'Image|endswith': '\\wininit.exe'}, 'selection18': {'Image|endswith': '\\winlogon.exe'}, 'selection19': {'Image|endswith': ['\\lsass.exe', '\\LsaIso.exe']}, 'selection20': {'ParentImage|endswith': '\\wininit.exe'}, 'selection21': {'Image|endswith': '\\LogonUI.exe'}, 'selection22': {'Image|endswith': '\\services.exe'}, 'selection23': {'Image|endswith': '\\svchost.exe'}, 'selection24': {'ParentImage|endswith': ['\\MsMpEng.exe', '\\services.exe']}, 'selection25': {'Image|endswith': '\\spoolsv.exe'}, 'selection26': {'Image|endswith': '\\taskhost.exe'}, 'selection27': {'Image|endswith': '\\taskhostw.exe'}, 'selection28': {'Image|endswith': '\\userinit.exe'}, 'selection29': {'ParentImage|endswith': ['\\dwm.exe', '\\winlogon.exe']}, 'selection30': {'Image|endswith': ['\\wmiprvse.exe', '\\wsmprovhost.exe', '\\winrshost.exe']}, 'selection31': {'ParentImage|endswith': ['\\SearchProtocolHost.exe', '\\csrss.exe']}, 'selection32': {'Image|endswith': ['\\werfault.exe', '\\wermgr.exe', '\\WerFaultSecure.exe']}, 'selection33': {'ParentImage|endswith': '\\autochk.exe'}, 'selection34': {'Image|endswith': ['\\chkdsk.exe', '\\doskey.exe', '\\WerFault.exe']}, 'selection35': {'Image|endswith': ['\\autochk.exe', '\\smss.exe', '\\csrss.exe', '\\wininit.exe', '\\winlogon.exe', '\\setupcl.exe', '\\WerFault.exe']}, 'selection36': {'ParentImage|endswith': '\\wermgr.exe'}, 'selection37': {'Image|endswith': ['\\WerFaultSecure.exe', '\\wermgr.exe', '\\WerFault.exe']}, 'selection38': {'ParentImage|endswith': '\\conhost.exe'}, 'selection39': {'Image|endswith': ['\\mscorsvw.exe', '\\wermgr.exe', '\\WerFault.exe', '\\WerFaultSecure.exe']}, 'condition': '((selection1 and (not selection2)) or (selection3 and (not selection4)) or (selection5 and (not selection6)) or (selection7 and (not selection8)) or (selection9 and (not selection10)) or (selection11 and (not selection12)) or (selection13 and (not selection14)) or (selection15 and (not selection16)) or (selection17 and (not selection2)) or (selection18 and (not selection2)) or (selection19 and (not selection20)) or (selection21 and (not selection4)) or (selection22 and (not selection20)) or (selection23 and (not selection24)) or (selection25 and (not selection8)) or (selection26 and (not selection12)) or (selection27 and (not selection12)) or (selection28 and (not selection29)) or (selection30 and (not selection6)) or (selection31 and (not selection32)) or (selection33 and (not selection34)) or (selection2 and (not selection35)) or (selection36 and (not selection37)) or (selection38 and (not selection39)))'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0004, T1055

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/02/18	medium	N/A

Suspicious Process from Conhost

A suspicious Conhost child process may indicate code injection activity.

More details

Rule ID

parent_child_56

Query

{'selection1': {'ParentImage|endswith': '\\conhost.exe'}, 'selection2': {'Image': ['?:\\Windows\\splwow64.exe', '?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\System32\\conhost.exe']}, 'condition': 'selection1 and (not selection2)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1055

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/08/31	high	N/A

Suspicious Zoom Child Process

Launch of Zoom from a command shell may indicate an attempt to run Zoom undetected.

More details

Rule ID

parent_child_57

Query

{'selection1': {'ParentImage|endswith': '\\Zoom.exe'}, 'selection2': {'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\pwsh.exe', '\\powershell_ise.exe']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1036, T1055

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/09/03	medium	N/A

Unusual Parent Process for cmd.exe

Launching of cmd.exe from an unusual parent process is suspicious.

More details

Rule ID

parent_child_58

Query

{'selection1': {'Image|endswith': '\\cmd.exe'}, 'selection2': {'ParentImage|endswith': ['\\lsass.exe', '\\csrss.exe', '\\epad.exe', '\\regsvr32.exe', '\\dllhost.exe', '\\LogonUI.exe', '\\wermgr.exe', '\\spoolsv.exe', '\\jucheck.exe', '\\jusched.exe', '\\ctfmon.exe', '\\taskhostw.exe', '\\GoogleUpdate.exe', '\\sppsvc.exe', '\\sihost.exe', '\\slui.exe', '\\SIHClient.exe', '\\SearchIndexer.exe', '\\SearchProtocolHost.exe', '\\FlashPlayerUpdateService.exe', '\\WerFault.exe', '\\WUDFHost.exe', '\\unsecapp.exe', '\\wlanext.exe']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0002, T1059

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/08/21	medium	N/A

Suspicious MS Office Child Process

Certain child processes being launched from MS Office applications or documents with macros are indicative of malicious activity.

More details

Rule ID

parent_child_59

Query

{'selection1': {'ParentImage|endswith': ['\\eqnedt32.exe', '\\excel.exe', '\\fltldr.exe', '\\msaccess.exe', '\\mspub.exe', '\\powerpnt.exe', '\\winword.exe']}, 'selection2': {'Image|endswith': ['\\Microsoft.Workflow.Compiler.exe', '\\arp.exe', '\\atbroker.exe', '\\bginfo.exe', '\\bitsadmin.exe', '\\cdb.exe', '\\certutil.exe', '\\cmd.exe', '\\cmstp.exe', '\\control.exe', '\\cscript.exe', '\\csi.exe', '\\dnx.exe', '\\dsget.exe', '\\dsquery.exe', '\\forfiles.exe', '\\fsi.exe', '\\ftp.exe', '\\gpresult.exe', '\\hostname.exe', '\\ieexec.exe', '\\iexpress.exe', '\\installutil.exe', '\\ipconfig.exe', '\\mshta.exe', '\\msxsl.exe', '\\nbtstat.exe', '\\net.exe', '\\net1.exe', '\\netsh.exe', '\\netstat.exe', '\\nltest.exe', '\\odbcconf.exe', '\\ping.exe', '\\powershell.exe', '\\pwsh.exe', '\\qprocess.exe', '\\quser.exe', '\\qwinsta.exe', '\\rcsi.exe', '\\reg.exe', '\\regasm.exe', '\\regsvcs.exe', '\\regsvr32.exe', '\\sc.exe', '\\schtasks.exe', '\\systeminfo.exe', '\\tasklist.exe', '\\tracert.exe', '\\whoami.exe', '\\wmic.exe', '\\wscript.exe', '\\xwizard.exe', '\\explorer.exe', '\\rundll32.exe', '\\hh.exe']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0001, T1566

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/02/18	medium	N/A

Microsoft Build Engine Started by a System Process

It is unusual for Explorer or the WMI (Windows Management Instrumentation) subystem to launch MSBuild, the Microsoft Build Engine.

More details

Rule ID

parent_child_60

Query

{'selection1': {'Image|endswith': '\\MSBuild.exe'}, 'selection2': {'ParentImage|endswith': ['\\explorer.exe', '\\wmiprvse.exe']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0002, TA0005, T1127

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/03/25	medium	The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.

Microsoft Build Engine Started by an Office Application

Launch of the Microsoft Build Engine from an Office application is unusual and may indicate the associated document has run a malicious script payload.

More details

Rule ID

parent_child_61

Query

{'selection1': {'Image|endswith': '\\MSBuild.exe'}, 'selection2': {'ParentImage|endswith': ['\\eqnedt32.exe', '\\excel.exe', '\\fltldr.exe', '\\msaccess.exe', '\\mspub.exe', '\\outlook.exe', '\\powerpnt.exe', '\\winword.exe']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0002, TA0005, T1127

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/03/25	high	The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel.

Command Execution via SolarWinds Process

A SolarWinds process that launches a command-line call or PowerShell command is considered suspicious.

More details

Rule ID

parent_child_62

Query

{'selection1': {'Image|endswith': ['\\cmd.exe', '\\powershell.exe']}, 'selection2': {'ParentImage|endswith': ['\\ConfigurationWizard.exe', '\\NetflowDatabaseMaintenance.exe', '\\NetFlowService.exe', '\\SolarWinds.Administration.exe', '\\SolarWinds.Collector.Service.exe', '\\SolarwindsDiagnostics.exe']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0001, TA0002, T1059, T1195

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/12/14	medium	Trusted SolarWinds child processes. Verify process details such as network connections and file writes.

Suspicious .NET Code Compilation

This may indicate suspicious .NET or Visual Basic compilation of downloaded code.

More details

Rule ID

parent_child_63

Query

{'selection1': {'Image|endswith': ['\\csc.exe', '\\vbc.exe']}, 'selection2': {'ParentImage|endswith': ['\\wscript.exe', '\\mshta.exe', '\\cscript.exe', '\\wmic.exe', '\\svchost.exe', '\\rundll32.exe', '\\cmstp.exe', '\\regsvr32.exe']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1027

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/08/21	medium	N/A

Conhost Spawned By Suspicious Parent Process

The Console Window Host (conhost.exe) process being launched by a suspicious parent process is indicative of code injection.

More details

Rule ID

parent_child_64

Query

{'selection1': {'Image|endswith': '\\conhost.exe'}, 'selection2': {'ParentImage|endswith': ['\\svchost.exe', '\\lsass.exe', '\\services.exe', '\\smss.exe', '\\winlogon.exe', '\\explorer.exe', '\\dllhost.exe', '\\rundll32.exe', '\\regsvr32.exe', '\\userinit.exe', '\\wininit.exe', '\\spoolsv.exe', '\\wermgr.exe', '\\csrss.exe', '\\ctfmon.exe']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0002, T1059

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/08/17	high	N/A

Unusual Child Process of dns.exe

Such an unexpected process being launched from dns.exe may indicate activity related to running of remote code or other forms of exploitation.

More details

Rule ID

parent_child_65

Query

{'selection1': {'ParentImage|endswith': '\\dns.exe'}, 'selection2': {'Image|endswith': '\\conhost.exe'}, 'condition': 'selection1 and (not selection2)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0001, T1133

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/07/16	high	Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn.

Script Process Child of Common Web Processes

A parent web process, such as httpd.exe, that runs a script process, such as powershell.exe, is suspicious and indicative of possible attempts for remote shell access.

More details

Rule ID

parent_child_66

Query

{'selection1': {'ParentImage|endswith': ['\\w3wp.exe', '\\httpd.exe', '\\nginx.exe', '\\php.exe', '\\php-cgi.exe', '\\tomcat.exe']}, 'selection2': {'Image|endswith': ['\\cmd.exe', '\\cscript.exe', '\\powershell.exe', '\\pwsh.exe', '\\powershell_ise.exe', '\\wmic.exe', '\\wscript.exe']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0001, TA0003, T1190, T1505

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021/08/24	high	Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.

Suspicious Endpoint Security Parent Process

A suspicious Endpoint Security parent process was detected, which may indicate process hollowing or other form of code injection.

More details

Rule ID

parent_child_67

Query

{'selection1': {'Image|endswith': ['\\esensor.exe', '\\elastic-endpoint.exe']}, 'selection2': {'ParentImage': ['C:\\Program Files\\Elastic\\*', 'C:\\Windows\\System32\\services.exe', 'C:\\Windows\\System32\\WerFault*.exe', 'C:\\Windows\\System32\\wermgr.exe']}, 'condition': 'selection1 and (not selection2)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1036

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/08/24	medium	N/A