Rules Contributing to Windows Suspicious Process Creation Alert

The following rules are used to identify suspicious activity associated with process creation. Any one or more of these will trigger the Suspicious Process Creation Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Powershell Process Created by Internet Explorer

A Powershell process has been created by Internet Explorer. This can indicate a malicious website has successfully launched an exploit.

Powershell Process Created by Office PowerPoint

A Powershell process has been created by Microsoft Office PowerPoint. This can indicate a malicious document containing a macro or an exploit has been opened by the user.

Executable with Suspicious Extension

An executable was launched with a well-known extension preceding the executable extension. This could be an indication that a user was tricked into executing a malicious program.

Process created by dbgsrv debugger

A known signed debugger software has been detected creating a remote process. This could be used by an attacker trying to bypass whitelisted applications.

Powershell Process Created by Office Word

A Powershell process has been created by Microsoft Office Word. This can indicate a malicious document containing a macro or an exploit has been opened by the user.

Java Process Spawning Scripting Process

A suspicious process has been created by Java Software. This could be an indication of malicious activity.

Potential LSASS Clone Creation via PssCaptureSnapShot

Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

Powershell Process Created by webserver process

A webserver process has created a Powershell session. This could be the result of a successful exploitation of the webserver or the installation of a webshell.

Process Execution Using pcwutl.dll

A process has been launched using the pcwutl.dll library. This can indicate an attacker is trying to bypass whitelisting technologies.

Windows Hacking Tool Detected

A common hacking tool was detected being used on this machine. While hacking tools can be used for System diagnostics during routine maintenance it is also a common indicator of malware performing additional reconnaissance or privilege escalation.

Executable launched using Windows PresentationHost tool

Windows Presentation Foundation Host (PresentationHost.exe) enables applications to be hosted in compatible browsers. This tool can bypass code integrity enforcement in Windows Defender Application Control.

Executable Launched from System Volume Information

Running executables from the System Volume Information folder is a common technique used by malware in order to hide itself. This could be an indication of malicious activity.

Powershell Process Created by Office Excel

A Powershell process has been created by Microsoft Office Excel. This can indicate a malicious document containing a macro or an exploit has been opened by the user.

Detected scripting process spawned by WinRAR

A scripting process executed with wscript.exe, cscript.exe or mshta.exe was directly executed from WinRAR. This behavior is commonly executed by packed malware.

RDP process spawning a suspicious process

An unauthenticated attacker could connect to the target system using RDP and send specially crafted requests. This vulnerability could execute arbitrary code on the target system.

Windows UAC bypass - UACME tool

User Account Control Bypass activity was detected. This can be due to either a regular operation or because an attacker is trying to escalate privileges.

MS Exchange transport agent backdoor

Transport agents let you install custom software on an Exchange server. This could be used by malware to gain persistence and install backdoors.

Executable launched using Synaptics Touchpad Enhancements tool

Synaptics Touchpad Enhancements utility allows you to run binaries in the system. This tool can bypass code integrity enforcement in Windows Defender Application Control.

SharPyShell Process Execution Detected

SharPyShell is a known hacking tool that is able to deploy a shell into the ASP.NET server. This shell can be controlled remotely from a malicious server. A process with these characteristics has been detected, what is an indicator of compromise by SharPyShell.

User Privilege Escalation

A privilege escalation behavior has been detected, it is not common to run a process as SYSTEM in user's directory. This could be an indication of malicious activity.

Suspicious Process Created by mshta.exe

A suspicious process process has been created by mshta.exe. This can indicate an attacker is using built-in Windows functionality to perform malicious activity.

Java Process Spawning WMIC

The wmic.exe process was executed by Java Software. This could be an indication of malicious activity.

Process Spawning Fodhelper

A process has spawned Fodhelper.exe. There is a known UAC bypass that can be used to escalate privileges.

Executable Launched from Recycle Bin

Running executables from the Recycle Bin folder is a common technique used by malware in order to hide itself. This could be an indication of malicious activity.

Suspicious Process Created by Notepad or Calculator

A potentially suspicious process was started by either Notepad or Calculator. This could be the result of malicious file being opened by the user or a proof-of-concept being tested.

Suspicious Process Created by Microsoft Office Application

A potentially suspicious process was started by a Microsoft Office application. This can indicate a malicious document containing a macro or an exploit has been opened by the user.

Windows mofcomp with suspicious file extension

The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers could use this tool to compile malicious WMI classes.