Rules Contributing to Parent/Child-based Suspicious Process Creation Alert
The following rules are used to identify suspicious activity with parent/child relationships associated with process creation. Any one or more of these will trigger the Parent-Child Suspicious Process Creation Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
MSHTA Spawning Windows Shell |
It is suspicious for the mshta process to launch a Windows command line executable. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\mshta.exe'}, 'selection2': [{'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\sh.exe', '\\bash.exe', '\\reg.exe', '\\regsvr32.exe']}, {'Image|contains': ['\\BITSADMIN']}], 'condition': 'selection and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,03cc0c25-389f-4bf8-b48d-11878079f1ca Author: Michael Haag Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
New Lolbin Process by Office Applications |
A Microsoft Office application that launches a new LOLBin process is very suspicious. More details
Rule IDQuery{'selection1': {'Image|endswith': ['\\regsvr32.exe', '\\rundll32.exe', '\\msiexec.exe', '\\mshta.exe', '\\verclsid.exe']}, 'selection2': {'ParentImage|endswith': ['\\winword.exe', '\\excel.exe', '\\powerpnt.exe']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,23daeb52-e6eb-493c-8607-c4f0246cb7d8 Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Droppers Exploiting CVE-2017-11882 |
This is indicative an attempt to exploit vulnerabilities described in CVE-2017-11882, in which exploits often start EQNEDT32.EXE and other sub-processes such as mshta.exe. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\EQNEDT32.EXE'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,678eb5f4-8597-4be6-8be7-905e4234b53a Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Exploit for CVE-2017-8759 |
As described in CVE-2017-8759, launch of csc.exe from Winword may be an exploit attempt. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\WINWORD.EXE', 'Image|endswith': '\\csc.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,fdd84c68-a1f6-47c9-9477-920584f94905 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Shells Spawn by WinRM |
A WinRM host process that launches a shell is suspicious. More details
Rule IDQuery{'selection': {'ParentImage': '*\\wsmprovhost.exe', 'Image': ['*\\cmd.exe', '*\\sh.exe', '*\\bash.exe', '*\\powershell.exe', '*\\schtasks.exe', '*\\certutil.exe', '*\\whoami.exe', '*\\bitsadmin.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,5cc2cda8-f261-4d88-a2de-e9e193c86716 Author: Andreas Hunkeler (@Karneades), Markus Neis Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Shells Spawned by Java |
A Java host process that launches certain child processes, particularly a shell process, is suspicious and may indicate exploitation such as log4j. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\java.exe', 'Image|endswith': ['\\sh.exe', '\\bash.exe', '\\powershell.exe', '\\schtasks.exe', '\\certutil.exe', '\\whoami.exe', '\\bitsadmin.exe', '\\wscript.exe', '\\cscript.exe', '\\scrcons.exe', '\\regsvr32.exe', '\\hh.exe', '\\wmic.exe', '\\mshta.exe', '\\rundll32.exe', '\\forfiles.exe', '\\scriptrunner.exe', '\\mftrace.exe', '\\AppVLP.exe', '\\curl.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0d34ed8b-1c12-4ff2-828c-16fc860b766d Author: Andreas Hunkeler (@Karneades), Florian Roth Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
WMI Backdoor Exchange Transport Agent |
This indicates that a WMI event filter has been used to create a backdoor in an Exchange Transport Agent. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\EdgeTransport.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,797011dc-44f4-4e6f-9f10-a8ceefbe566b Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Exploit for CVE-2017-0261 |
Launch of FLTLDR.exe from Winword is uncommon and indicative of exploits described in CVE-2017-0261 and CVE-2017-0262. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\WINWORD.EXE', 'Image|contains': '\\FLTLDR.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,864403a1-36c9-40a2-a982-4c9a45f7d833 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Exploited CVE-2020-10189 Zoho ManageEngine |
This is indicative of CVE-2020-10189 which describes exploitation of Zoho ManageEngine Desktop Central - Java Deserialization. More details
Rule IDQuery{'selection': {'ParentImage|endswith': 'DesktopCentral_Server\\jre\\bin\\java.exe', 'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\bitsadmin.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,846b866e-2a57-46ee-8e16-85fa92759be7 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Microsoft Office Product Spawning Windows Shell |
It is suspicious for a Microsoft Office application to launch a Windows command and scripting interpreter executable. More details
Rule IDQuery{'selection': {'ParentImage|endswith': ['\\WINWORD.EXE', '\\EXCEL.EXE', '\\POWERPNT.exe', '\\MSPUB.exe', '\\VISIO.exe', '\\MSACCESS.EXE', '\\EQNEDT32.EXE'], 'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\sh.exe', '\\bash.exe', '\\scrcons.exe', '\\schtasks.exe', '\\regsvr32.exe', '\\hh.exe', '\\wmic.exe', '\\mshta.exe', '\\rundll32.exe', '\\msiexec.exe', '\\forfiles.exe', '\\scriptrunner.exe', '\\mftrace.exe', '\\AppVLP.exe', '\\svchost.exe', '\\msbuild.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,438025f9-5856-4663-83f7-52f878a70a50 Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Parent of Csc.exe |
It is considered suspicious when certain parent processes (such as wscript or mshta) have launched cwc.exe. More details
Rule IDQuery{'selection': {'Image|endswith': '\\csc.exe', 'ParentImage|endswith': ['\\wscript.exe', '\\cscript.exe', '\\mshta.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b730a276-6b63-41b8-bcf8-55930c8fc6ee Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) Tactics, Techniques, and ProceduresT1027.004, T1059.005, T1059.007, T1218.005 References
N/A
Additional Information
|
||||||||
MSHTA Spawned by SVCHOST |
This is indicative of LethalHTA (a lateral movement technique). More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\svchost.exe', 'Image|endswith': '\\mshta.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ed5d72a6-f8f4-479d-ba79-02f6a80d7471 Author: Markus Neis Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious HWP Sub Processes |
Certain sub-processes of the Hangul Word Processor (Hanword) application may indicate an exploitation attempt. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\Hwp.exe', 'Image|endswith': '\\gbb.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,023394c4-29d5-46ab-92b8-6a534c6f447b Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Time Travel Debugging Utility Usage |
Use of the Time Travel Debugging Utility (tttracer.exe) is suspicious since adversaries can use it to run malicious processes and dump processes, such as lsass.exe. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\tttracer.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0b4ae027-2a2d-4b93-8c7e-962caaba5b2a Author: Ensar Şamil, @sblmsrsn, @oscd_initiative Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
CMSTP Execution Process Creation |
This is an indicator of an attempt to use Microsoft Connection Manager Profile to bypass UAC. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\cmstp.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7d4cdc5a-0076-40ca-aac8-f7e714570e47 Author: Nik Seetharaman Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Winnti Malware HK University Campaign |
This is a characteristic of Winnti malware as reported in a Dec/Jan 2020 campaign against Hong Kong universities. More details
Rule IDQuery{'selection2': {'ParentImage|startswith': 'C:\\ProgramData\\DRM', 'Image|endswith': '\\wmplayer.exe'}, 'selection3': {'ParentImage|endswith': '\\Test.exe', 'Image|endswith': '\\wmplayer.exe'}, 'selection4': {'Image': 'C:\\ProgramData\\DRM\\CLR\\CLR.exe'}, 'selection5': {'ParentImage|startswith': 'C:\\ProgramData\\DRM\\Windows', 'Image|endswith': '\\SearchFilterHost.exe'}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,3121461b-5aa0-4a41-b910-66d25524edbb Author: Florian Roth (Nextron Systems), Markus Neis Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Shells Spawned by Web Servers |
A web server process that runs a shell process indicates a possible placement of a web shell for malicious use. More details
Rule IDQuery{'selection': {'ParentImage|endswith': ['\\w3wp.exe', '\\httpd.exe', '\\nginx.exe', '\\php-cgi.exe', '\\tomcat.exe', '\\UMWorkerProcess.exe', '\\ws_TomcatService.exe'], 'Image|endswith': ['\\cmd.exe', '\\sh.exe', '\\bash.exe', '\\powershell.exe', '\\bitsadmin.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8202070f-edeb-4d31-a010-a26c72ac5600 Author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Sdclt Child Processes |
The sdclt process creating a child process indicates a possible attempt to bypass UAC. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\sdclt.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,da2738f2-fadb-4394-afa7-0a0674885afa Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
LOLBins Process Creation with WmiPrvse |
A LOLBin process created by wmiprvse is suspicious. More details
Rule IDQuery{'selection1': {'Image|endswith': ['\\regsvr32.exe', '\\rundll32.exe', '\\msiexec.exe', '\\mshta.exe', '\\verclsid.exe']}, 'selection2': {'ParentImage|endswith': '\\wbem\\WmiPrvSE.exe'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8a582fe2-0882-4b89-a82a-da6b2dc32937 Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
MMC Spawning Windows Shell |
It is suspicious for MMC to launch a Windows command-line executable. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\mmc.exe'}, 'selection2': [{'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\sh.exe', '\\bash.exe', '\\reg.exe', '\\regsvr32.exe']}, {'Image|contains': ['\\BITSADMIN']}], 'condition': 'selection and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,05a2ab7e-ce11-4b63-86db-ab32e763e11d Author: Karneades, Swisscom CSIRT Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Shells Spawn by Java Utility Keytool |
It is suspicious for the Java utility keytool process to launch a shell and indicates potential exploitations, such as adselfservice. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\keytool.exe', 'Image|endswith': ['\\cmd.exe', '\\sh.exe', '\\bash.exe', '\\powershell.exe', '\\schtasks.exe', '\\certutil.exe', '\\whoami.exe', '\\bitsadmin.exe', '\\wscript.exe', '\\cscript.exe', '\\scrcons.exe', '\\regsvr32.exe', '\\hh.exe', '\\wmic.exe', '\\mshta.exe', '\\rundll32.exe', '\\forfiles.exe', '\\scriptrunner.exe', '\\mftrace.exe', '\\AppVLP.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,90fb5e62-ca1f-4e22-b42e-cc521874c938 Author: Andreas Hunkeler (@Karneades) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
UAC Bypass via Windows Event Viewer |
A UAC bypass attempt to run code with elevated permissions may be indicated when eventvwr.exe launches mmc.exe or WerFault.exe. More details
Rule IDQuery{'methprocess': {'ParentImage|endswith': '\\eventvwr.exe'}, 'filterprocess': {'Image': ['?:\\Windows\\SysWOW64\\mmc.exe', '?:\\Windows\\System32\\mmc.exe', '?:\\Windows\\SysWOW64\\WerFault.exe', '?:\\Windows\\System32\\WerFault.exe']}, 'condition': 'methprocess and not filterprocess'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,be344333-921d-4c4d-8bb8-e584cf584780 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Malicious PE Execution by Microsoft Visual Studio Debugger |
The MS VS Just-In-Time Debugger (vsjitdebugger.exe), which is a signed/verified binary, can be exploited to launch malicious code. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\vsjitdebugger.exe'}, 'reduction1': {'Image|endswith': '\\vsimmersiveactivatehelper*.exe'}, 'reduction2': {'Image|endswith': '\\devenv.exe'}, 'condition': 'selection and not (reduction1 or reduction2)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,15c7904e-6ad1-4a45-9b46-5fb25df37fd2 Author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
CVE-2021-26857 Exchange Exploitation |
The CVE-2021-26857 vulnerability is indicated when abnormal subprocesses are launched from Microsoft Exchange Server’s Unified Messaging service. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\UMWorkerProcess.exe'}, 'filter': {'Image|endswith': ['\\wermgr.exe', '\\WerFault.exe']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,cd479ccc-d8f0-4c66-ba7d-e06286f3f887 Author: Bhabesh Raj Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
MS Office Product Spawning Exe in User Dir |
It is suspicious for a Microsoft Office application to launch an executable in the Users directory. More details
Rule IDQuery{'selection': {'ParentImage|endswith': ['\\WINWORD.EXE', '\\EXCEL.EXE', '\\POWERPNT.exe', '\\MSPUB.exe', '\\VISIO.exe'], 'Image|startswith': 'C:\\users\\', 'Image|endswith': '.exe'}, 'filter': {'Image|endswith': '\\Teams.exe'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,aa3a6f94-890e-4e22-b634-ffdfd54792cc Author: Jason Lynch Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Execution via stordiag.exe |
The stordiag.exe process launch processes such as systeminfo.exe from a non-standard path is suspicious. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\stordiag.exe', 'Image|endswith': ['\\schtasks.exe', '\\systeminfo.exe', '\\fltmc.exe']}, 'filter': {'ParentImage|startswith': ['c:\\windows\\system32\\', 'c:\\windows\\syswow64\\']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,961e0abb-1b1e-4c84-a453-aafe56ad0d34 Author: Austin Songer (@austinsonger) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Always Install Elevated MSI Spawned Cmd And Powershell |
A Windows Installer service that launches a command-line shell or PowerShell is considered suspicious. More details
Rule IDQuery{'image': {'Image|endswith': ['\\cmd.exe', '\\powershell.exe']}, 'parent_image': {'ParentImage|contains|all': ['\\Windows\\Installer\\', 'msi'], 'ParentImage|endswith': ['tmp']}, 'condition': 'image and parent_image'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1e53dd56-8d83-4eb4-a43e-b790a05510aa Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Wsreset UAC Bypass |
The Wsreset.exe tool can be used to reset the Windows Store to bypass UAC. More details
Rule IDQuery{'selection': {'ParentImage|endswith': ['\\WSreset.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
DNS RCE CVE-2020-1350 |
This indicates possible exploitation of a DNS RCE bug, as decribed in CVE-2020-1350. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\System32\\dns.exe'}, 'filter': {'Image|endswith': ['\\System32\\werfault.exe', '\\System32\\conhost.exe', '\\System32\\dnscmd.exe']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b5281f31-f9cc-4d0d-95d0-45b91c45b487 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
ScreenConnect Backstage Mode Anomaly |
This indicates the use of Backstage mode of the ScreenConnect client, which is suspicious. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\ScreenConnect.ClientService.exe', 'Image|endswith': ['\\cmd.exe', '\\powershell.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious LSASS Process Clone |
This is a suspicious LSASS process clone, which could be a sign of process dumping activity. More details
Rule IDQuery{'selection': {'Image|endswith': '\\Windows\\System32\\lsass.exe', 'ParentImage|endswith': '\\Windows\\System32\\lsass.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c8da0dfd-4ed0-4b68-962d-13c9c884384e Author: Florian Roth (Nextron Systems), Samir Bousseaden Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Visual Basic Command Line Compiler Usage |
Use of vbc.exe with child process cvtres.exe (Windows Resource to Object Converter) should not be seen in an enterprise environment. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\vbc.exe', 'Image|endswith': '\\cvtres.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7b10f171-7f04-47c7-9fa2-5be43c76e535 Author: Ensar Şamil, @sblmsrsn, @oscd_initiative Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Service Run-time Directory |
The services or svchost process running in a non-standard directory is suspicious. More details
Rule IDQuery{'selection': {'Image|contains': ['\\Users\\Public\\', '\\$Recycle.bin', '\\Users\\All Users\\', '\\Users\\Default\\', '\\Users\\Contacts\\', '\\Users\\Searches\\', 'C:\\Perflogs\\', '\\config\\systemprofile\\', '\\Windows\\Fonts\\', '\\Windows\\IME\\', '\\Windows\\addins\\'], 'ParentImage|endswith': ['\\services.exe', '\\svchost.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,883faa95-175a-4e22-8181-e5761aeb373c Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Mshta Spawning Windows Shell |
The mshta.exe process launching a command shell process is suspicious. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\mshta.exe', 'Image|endswith': ['\\powershell.exe', '\\cmd.exe', '\\WScript.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,772bb24c-8df2-4be0-9157-ae4dfa794037 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Bypass UAC via Fodhelper.exe |
This could indicate the use of Fodhelper.exe to bypass User Account Control. Adversaries may use this technique to run privileged processes. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\fodhelper.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7f741dcf-fc22-4759-87b4-9ae8376676a2 Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Serv-U Process Pattern |
Certain child processes launched by Serve-U.exe indicate possible exploitation. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\Serv-U.exe', 'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\sh.exe', '\\bash.exe', '\\schtasks.exe', '\\regsvr32.exe', '\\wmic.exe', '\\mshta.exe', '\\rundll32.exe', '\\msiexec.exe', '\\forfiles.exe', '\\scriptrunner.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,58f4ea09-0fc2-4520-ba18-b85c540b0eaf Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
HTML Help Shell Spawn |
It is a suspicious a child process of the Microsoft HTML Help system. More details
Rule IDQuery{'selection': {'ParentImage': 'C:\\Windows\\hh.exe', 'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\regsvr32.exe', '\\wmic.exe', '\\rundll32.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,52cad028-0ff0-4854-8f67-d25dfcbc78b4 Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresT1047, T1059.001, T1059.003, T1059.005, T1059.007, T1218.001, T1218.010, T1218.011 References
N/A
Additional Information
|
||||||||
Regedit as Trusted Installer |
Running the regedit process as a TrustedInstaller is suspicious. More details
Rule IDQuery{'selection': {'Image|endswith': '\\regedit.exe', 'ParentImage|endswith': ['\\TrustedInstaller.exe', '\\ProcessHacker.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,883835a7-df45-43e4-bf1d-4268768afda4 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Script Event Consumer Spawning Process |
The scrcons.exe process launching PowerShell or other uncommon processes is suspicious. More details
Rule IDQuery{'selection': {'ParentImage|endswith': ['\\scrcons.exe'], 'Image|endswith': ['\\svchost.exe', '\\dllhost.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\schtasks.exe', '\\regsvr32.exe', '\\mshta.exe', '\\rundll32.exe', '\\msiexec.exe', '\\msbuild.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f6d1dd2f-b8ce-40ca-bc23-062efb686b34 Author: Sittikorn S Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
WMI Persistence - Script Event Consumer |
A persistent scrcons.exe child process indicates a WMI backdoor may have been created. More details
Rule IDQuery{'selection': {'Image': 'C:\\WINDOWS\\system32\\wbem\\scrcons.exe', 'ParentImage': 'C:\\Windows\\System32\\svchost.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e Author: Thomas Patzke Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Svchost Process |
Launch of svchost.exe from certain parent processes is suspicious. More details
Rule IDQuery{'selection': {'Image|endswith': '\\svchost.exe'}, 'filter': {'ParentImage|endswith': ['\\services.exe', '\\MsMpEng.exe', '\\Mrt.exe', '\\rpcnet.exe', '\\svchost.exe', '\\ngen.exe', '\\TiWorker.exe']}, 'filter_null1': {'ParentImage': None}, 'filter_null2': {'ParentImage': ''}, 'filter_emptysysmon': {'ParentImage': '-'}, 'condition': 'selection and not 1 of filter*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,01d2e2a1-5f09-44f7-9fc1-24faa7479b6d Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Exploit for CVE-2015-1641 |
Launch of MicroScMgmt.exe from Winword is uncommon and indicative of exploits described in CVE-2015-1641. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\WINWORD.EXE', 'Image|endswith': '\\MicroScMgmt.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7993792c-5ce2-4475-a3db-a3a5539827ef Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
TA505 Dropper Load Pattern |
Loading of the mshta process by the wmiprvse process is indicative of TA505 malicious documents. More details
Rule IDQuery{'selection': {'Image|endswith': '\\mshta.exe', 'ParentImage|endswith': '\\wmiprvse.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Execution via WorkFolders.exe |
It is suspicious for WorkFolders.exe to run an arbitrary control.exe. More details
Rule IDQuery{'selection': {'Image|endswith': '\\control.exe', 'ParentImage|endswith': '\\WorkFolders.exe'}, 'filter': {'Image': 'C:\\Windows\\System32\\control.exe'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0bbc6369-43e3-453d-9944-cae58821c173 Author: Maxime Thiebaut (@0xThiebaut) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Microsoft Outlook Product Spawning Windows Shell |
It is suspicious for Microsoft Outlook to start a Windows command and scripting interpreter executable. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\OUTLOOK.EXE', 'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\wscript.exe', '\\cscript.exe', '\\sh.exe', '\\bash.exe', '\\scrcons.exe', '\\schtasks.exe', '\\regsvr32.exe', '\\hh.exe', '\\wmic.exe', '\\mshta.exe', '\\msiexec.exe', '\\forfiles.exe', '\\scriptrunner.exe', '\\mftrace.exe', '\\AppVLP.exe', '\\svchost.exe', '\\msbuild.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,208748f7-881d-47ac-a29c-07ea84bf691d Author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Bypass UAC via WSReset.exe |
This could indicate the use of WSReset.exe to bypass User Account Control. Adversaries may use this technique to run privileged processes. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\wsreset.exe'}, 'filter': {'Image|endswith': '\\conhost.exe'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d797268e-28a9-49a7-b9a8-2f5039011c5c Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Remote PowerShell Session Host Process (WinRM) |
Remote PowerShell sessions may be suspicious. More details
Rule IDQuery{'selection': [{'Image|endswith': '\\wsmprovhost.exe'}, {'ParentImage|endswith': '\\wsmprovhost.exe'}], 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Emissary Panda Malware SLLauncher |
This indicates running of DLL side-loading malware which is used by the threat group Emissary Panda, also known as APT27. More details
Rule IDQuery{'selection': {'ParentImage|endswith': '\\sllauncher.exe', 'Image|endswith': '\\svchost.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9aa01d62-7667-4d3b-acb8-8cb5103e2014 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious JAVA Child Process |
This may indicate an attempt to run a malicious JAR file or an attempt to exploit a JAVA-specific vulnerability. More details
Rule IDQuery{'selection1': {'ParentImage|endswith': '/java'}, 'selection2': {'Image|endswith': ['/sh', '/bash', '/dash', '/ksh', '/tcsh', '/zsh', '/curl', '/wget']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Linux Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious SolarWinds Child Process |
A SolarWinds process that launches a child process may indicate an attempt to run malicious programs. More details
Rule IDQuery{'selection1': {'ParentImage|endswith': ['\\SolarWinds.BusinessLayerHost.exe', '\\SolarWinds.BusinessLayerHostx64.exe']}, 'selection2': {'Image|endswith': ['\\APMServiceControl.exe', '\\ExportToPDFCmd.Exe', '\\SolarWinds.Credentials.Orion.WebApi.exe', '\\SolarWinds.Orion.Topology.Calculator.exe', '\\Database-Maint.exe', '\\SolarWinds.Orion.ApiPoller.Service.exe', '\\WerFault.exe', '\\WerMgr.exe']}, 'condition': 'selection1 and (not selection2)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Execution via MSSQL xp_cmdshell Stored Procedure |
Use of MSSQL to run a stored procedure with xp_cmdshell, disabled by default, indicates a user may be attempting to elevate their privileges. More details
Rule IDQuery{'selection1': {'Image|endswith': '\\cmd.exe'}, 'selection2': {'ParentImage|endswith': '\\sqlservr.exe'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Process Activity via Compiled HTML File |
Compiled HTML files (.chm), commonly distributed as help systems, have the capability of concealing malicious code and delivering to a victim system. It is suspicious when the runtime program for .chm files (hh.exe) launches other certain processes (such as a command shell). More details
Rule IDQuery{'selection1': {'ParentImage|endswith': '\\hh.exe'}, 'selection2': {'Image|endswith': ['\\mshta.exe', '\\cmd.exe', '\\powershell.exe', '\\pwsh.exe', '\\powershell_ise.exe', '\\cscript.exe', '\\wscript.exe']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Signed Proxy Execution via MS WorkFolders |
Use of Windows Work Folders to run a control.exe file in the current working directory is indicative of potential malicious activity. More details
Rule IDQuery{'selection1': {'Image|endswith': '\\control.exe'}, 'selection2': {'ParentImage|endswith': '\\WorkFolders.exe'}, 'selection3': {'Image': ['?:\\Windows\\System32\\control.exe', '?:\\Windows\\SysWOW64\\control.exe']}, 'condition': 'selection1 and selection2 and (not selection3)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Microsoft Exchange Server UM Spawning Suspicious Processes |
The CVE-2021-26857 vulnerability may be indicated when Exchange Server UM processes launch unexpected child processes. More details
Rule IDQuery{'selection1': {'ParentImage|endswith': ['\\UMService.exe', '\\UMWorkerProcess.exe']}, 'selection2': {'Image|endswith': ['\\werfault.exe', '\\wermgr.exe']}, 'condition': 'selection1 and (not selection2)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Unusual Parent-Child Relationship |
A Windows program run from an unexpected parent process could indicate masquerading or other strange activity on a system. More details
Rule IDQuery{'selection1': {'Image|endswith': '\\autochk.exe'}, 'selection2': {'ParentImage|endswith': '\\smss.exe'}, 'selection3': {'Image|endswith': ['\\fontdrvhost.exe', '\\dwm.exe']}, 'selection4': {'ParentImage|endswith': ['\\wininit.exe', '\\winlogon.exe']}, 'selection5': {'Image|endswith': ['\\consent.exe', '\\RuntimeBroker.exe', '\\TiWorker.exe']}, 'selection6': {'ParentImage|endswith': '\\svchost.exe'}, 'selection7': {'Image|endswith': '\\SearchIndexer.exe'}, 'selection8': {'ParentImage|endswith': '\\services.exe'}, 'selection9': {'Image|endswith': '\\SearchProtocolHost.exe'}, 'selection10': {'ParentImage|endswith': ['\\SearchIndexer.exe', '\\dllhost.exe']}, 'selection11': {'Image|endswith': '\\dllhost.exe'}, 'selection12': {'ParentImage|endswith': ['\\services.exe', '\\svchost.exe']}, 'selection13': {'Image|endswith': '\\smss.exe'}, 'selection14': {'ParentImage|endswith': ['\\System', '\\smss.exe']}, 'selection15': {'Image|endswith': '\\csrss.exe'}, 'selection16': {'ParentImage|endswith': ['\\smss.exe', '\\svchost.exe']}, 'selection17': {'Image|endswith': '\\wininit.exe'}, 'selection18': {'Image|endswith': '\\winlogon.exe'}, 'selection19': {'Image|endswith': ['\\lsass.exe', '\\LsaIso.exe']}, 'selection20': {'ParentImage|endswith': '\\wininit.exe'}, 'selection21': {'Image|endswith': '\\LogonUI.exe'}, 'selection22': {'Image|endswith': '\\services.exe'}, 'selection23': {'Image|endswith': '\\svchost.exe'}, 'selection24': {'ParentImage|endswith': ['\\MsMpEng.exe', '\\services.exe']}, 'selection25': {'Image|endswith': '\\spoolsv.exe'}, 'selection26': {'Image|endswith': '\\taskhost.exe'}, 'selection27': {'Image|endswith': '\\taskhostw.exe'}, 'selection28': {'Image|endswith': '\\userinit.exe'}, 'selection29': {'ParentImage|endswith': ['\\dwm.exe', '\\winlogon.exe']}, 'selection30': {'Image|endswith': ['\\wmiprvse.exe', '\\wsmprovhost.exe', '\\winrshost.exe']}, 'selection31': {'ParentImage|endswith': ['\\SearchProtocolHost.exe', '\\csrss.exe']}, 'selection32': {'Image|endswith': ['\\werfault.exe', '\\wermgr.exe', '\\WerFaultSecure.exe']}, 'selection33': {'ParentImage|endswith': '\\autochk.exe'}, 'selection34': {'Image|endswith': ['\\chkdsk.exe', '\\doskey.exe', '\\WerFault.exe']}, 'selection35': {'Image|endswith': ['\\autochk.exe', '\\smss.exe', '\\csrss.exe', '\\wininit.exe', '\\winlogon.exe', '\\setupcl.exe', '\\WerFault.exe']}, 'selection36': {'ParentImage|endswith': '\\wermgr.exe'}, 'selection37': {'Image|endswith': ['\\WerFaultSecure.exe', '\\wermgr.exe', '\\WerFault.exe']}, 'selection38': {'ParentImage|endswith': '\\conhost.exe'}, 'selection39': {'Image|endswith': ['\\mscorsvw.exe', '\\wermgr.exe', '\\WerFault.exe', '\\WerFaultSecure.exe']}, 'condition': '((selection1 and (not selection2)) or (selection3 and (not selection4)) or (selection5 and (not selection6)) or (selection7 and (not selection8)) or (selection9 and (not selection10)) or (selection11 and (not selection12)) or (selection13 and (not selection14)) or (selection15 and (not selection16)) or (selection17 and (not selection2)) or (selection18 and (not selection2)) or (selection19 and (not selection20)) or (selection21 and (not selection4)) or (selection22 and (not selection20)) or (selection23 and (not selection24)) or (selection25 and (not selection8)) or (selection26 and (not selection12)) or (selection27 and (not selection12)) or (selection28 and (not selection29)) or (selection30 and (not selection6)) or (selection31 and (not selection32)) or (selection33 and (not selection34)) or (selection2 and (not selection35)) or (selection36 and (not selection37)) or (selection38 and (not selection39)))'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Process from Conhost |
A suspicious Conhost child process may indicate code injection activity. More details
Rule IDQuery{'selection1': {'ParentImage|endswith': '\\conhost.exe'}, 'selection2': {'Image': ['?:\\Windows\\splwow64.exe', '?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\System32\\conhost.exe']}, 'condition': 'selection1 and (not selection2)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Zoom Child Process |
Launch of Zoom from a command shell may indicate an attempt to run Zoom undetected. More details
Rule IDQuery{'selection1': {'ParentImage|endswith': '\\Zoom.exe'}, 'selection2': {'Image|endswith': ['\\cmd.exe', '\\powershell.exe', '\\pwsh.exe', '\\powershell_ise.exe']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Unusual Parent Process for cmd.exe |
Launching of cmd.exe from an unusual parent process is suspicious. More details
Rule IDQuery{'selection1': {'Image|endswith': '\\cmd.exe'}, 'selection2': {'ParentImage|endswith': ['\\lsass.exe', '\\csrss.exe', '\\epad.exe', '\\regsvr32.exe', '\\dllhost.exe', '\\LogonUI.exe', '\\wermgr.exe', '\\spoolsv.exe', '\\jucheck.exe', '\\jusched.exe', '\\ctfmon.exe', '\\taskhostw.exe', '\\GoogleUpdate.exe', '\\sppsvc.exe', '\\sihost.exe', '\\slui.exe', '\\SIHClient.exe', '\\SearchIndexer.exe', '\\SearchProtocolHost.exe', '\\FlashPlayerUpdateService.exe', '\\WerFault.exe', '\\WUDFHost.exe', '\\unsecapp.exe', '\\wlanext.exe']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious MS Office Child Process |
Certain child processes being launched from MS Office applications or documents with macros are indicative of malicious activity. More details
Rule IDQuery{'selection1': {'ParentImage|endswith': ['\\eqnedt32.exe', '\\excel.exe', '\\fltldr.exe', '\\msaccess.exe', '\\mspub.exe', '\\powerpnt.exe', '\\winword.exe']}, 'selection2': {'Image|endswith': ['\\Microsoft.Workflow.Compiler.exe', '\\arp.exe', '\\atbroker.exe', '\\bginfo.exe', '\\bitsadmin.exe', '\\cdb.exe', '\\certutil.exe', '\\cmd.exe', '\\cmstp.exe', '\\control.exe', '\\cscript.exe', '\\csi.exe', '\\dnx.exe', '\\dsget.exe', '\\dsquery.exe', '\\forfiles.exe', '\\fsi.exe', '\\ftp.exe', '\\gpresult.exe', '\\hostname.exe', '\\ieexec.exe', '\\iexpress.exe', '\\installutil.exe', '\\ipconfig.exe', '\\mshta.exe', '\\msxsl.exe', '\\nbtstat.exe', '\\net.exe', '\\net1.exe', '\\netsh.exe', '\\netstat.exe', '\\nltest.exe', '\\odbcconf.exe', '\\ping.exe', '\\powershell.exe', '\\pwsh.exe', '\\qprocess.exe', '\\quser.exe', '\\qwinsta.exe', '\\rcsi.exe', '\\reg.exe', '\\regasm.exe', '\\regsvcs.exe', '\\regsvr32.exe', '\\sc.exe', '\\schtasks.exe', '\\systeminfo.exe', '\\tasklist.exe', '\\tracert.exe', '\\whoami.exe', '\\wmic.exe', '\\wscript.exe', '\\xwizard.exe', '\\explorer.exe', '\\rundll32.exe', '\\hh.exe']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Microsoft Build Engine Started by a System Process |
It is unusual for Explorer or the WMI (Windows Management Instrumentation) subystem to launch MSBuild, the Microsoft Build Engine. More details
Rule IDQuery{'selection1': {'Image|endswith': '\\MSBuild.exe'}, 'selection2': {'ParentImage|endswith': ['\\explorer.exe', '\\wmiprvse.exe']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Microsoft Build Engine Started by an Office Application |
Launch of the Microsoft Build Engine from an Office application is unusual and may indicate the associated document has run a malicious script payload. More details
Rule IDQuery{'selection1': {'Image|endswith': '\\MSBuild.exe'}, 'selection2': {'ParentImage|endswith': ['\\eqnedt32.exe', '\\excel.exe', '\\fltldr.exe', '\\msaccess.exe', '\\mspub.exe', '\\outlook.exe', '\\powerpnt.exe', '\\winword.exe']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Command Execution via SolarWinds Process |
A SolarWinds process that launches a command-line call or PowerShell command is considered suspicious. More details
Rule IDQuery{'selection1': {'Image|endswith': ['\\cmd.exe', '\\powershell.exe']}, 'selection2': {'ParentImage|endswith': ['\\ConfigurationWizard.exe', '\\NetflowDatabaseMaintenance.exe', '\\NetFlowService.exe', '\\SolarWinds.Administration.exe', '\\SolarWinds.Collector.Service.exe', '\\SolarwindsDiagnostics.exe']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious .NET Code Compilation |
This may indicate suspicious .NET or Visual Basic compilation of downloaded code. More details
Rule IDQuery{'selection1': {'Image|endswith': ['\\csc.exe', '\\vbc.exe']}, 'selection2': {'ParentImage|endswith': ['\\wscript.exe', '\\mshta.exe', '\\cscript.exe', '\\wmic.exe', '\\svchost.exe', '\\rundll32.exe', '\\cmstp.exe', '\\regsvr32.exe']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Conhost Spawned By Suspicious Parent Process |
The Console Window Host (conhost.exe) process being launched by a suspicious parent process is indicative of code injection. More details
Rule IDQuery{'selection1': {'Image|endswith': '\\conhost.exe'}, 'selection2': {'ParentImage|endswith': ['\\svchost.exe', '\\lsass.exe', '\\services.exe', '\\smss.exe', '\\winlogon.exe', '\\explorer.exe', '\\dllhost.exe', '\\rundll32.exe', '\\regsvr32.exe', '\\userinit.exe', '\\wininit.exe', '\\spoolsv.exe', '\\wermgr.exe', '\\csrss.exe', '\\ctfmon.exe']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Unusual Child Process of dns.exe |
Such an unexpected process being launched from dns.exe may indicate activity related to running of remote code or other forms of exploitation. More details
Rule IDQuery{'selection1': {'ParentImage|endswith': '\\dns.exe'}, 'selection2': {'Image|endswith': '\\conhost.exe'}, 'condition': 'selection1 and (not selection2)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Script Process Child of Common Web Processes |
A parent web process, such as httpd.exe, that runs a script process, such as powershell.exe, is suspicious and indicative of possible attempts for remote shell access. More details
Rule IDQuery{'selection1': {'ParentImage|endswith': ['\\w3wp.exe', '\\httpd.exe', '\\nginx.exe', '\\php.exe', '\\php-cgi.exe', '\\tomcat.exe']}, 'selection2': {'Image|endswith': ['\\cmd.exe', '\\cscript.exe', '\\powershell.exe', '\\pwsh.exe', '\\powershell_ise.exe', '\\wmic.exe', '\\wscript.exe']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Endpoint Security Parent Process |
A suspicious Endpoint Security parent process was detected, which may indicate process hollowing or other form of code injection. More details
Rule IDQuery{'selection1': {'Image|endswith': ['\\esensor.exe', '\\elastic-endpoint.exe']}, 'selection2': {'ParentImage': ['C:\\Program Files\\Elastic\\*', 'C:\\Windows\\System32\\services.exe', 'C:\\Windows\\System32\\WerFault*.exe', 'C:\\Windows\\System32\\wermgr.exe']}, 'condition': 'selection1 and (not selection2)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|