Rules Contributing to Windows Suspicious Process Creation Alert
The following rules are used to identify suspicious activity associated with process creation. Any one or more of these will trigger the Suspicious Process Creation Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Powershell Process Created by Internet Explorer |
A Powershell process has been created by Internet Explorer. This can indicate a malicious website has successfully launched an exploit. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': 'iexplore.exe'}, 'selection4': {'Image|contains': 'powershell.exe'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Powershell Process Created by Office PowerPoint |
A Powershell process has been created by Microsoft Office PowerPoint. This can indicate a malicious document containing a macro or an exploit has been opened by the user. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': 'POWERPNT.EXE'}, 'selection4': {'Image|contains': 'powershell.exe'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Executable with Suspicious Extension |
An executable was launched with a well-known extension preceding the executable extension. This could be an indication that a user was tricked into executing a malicious program. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|re': '\\.(jpeg|jpg|png|gif|tiff|ico|zip|rar|pdf)\\.(exe|msi|scr|hta|bat|hta)$'}, 'selection4': {'CurrentDirectory|re': '(?:\\\\Program Files(?:\\(x86\\))?|\\\\PROGRA~(?:1|2))'}, 'condition': 'selection2 and selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Process created by dbgsrv debugger |
A known signed debugger software has been detected creating a remote process. This could be used by an attacker trying to bypass whitelisted applications. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\dbgsrv.exe'}, 'selection4': {'ParentCommandLine|contains': 'clicon='}, 'selection5': {'ParentCommandLine|contains': 'port='}, 'condition': 'selection2 and selection3 and selection4 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Powershell Process Created by Office Word |
A Powershell process has been created by Microsoft Office Word. This can indicate a malicious document containing a macro or an exploit has been opened by the user. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': 'WINWORD.EXE'}, 'selection4': {'Image|contains': 'powershell.exe'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Java Process Spawning Scripting Process |
A suspicious process has been created by Java Software. This could be an indication of malicious activity. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|re': '\\\\java[w]?\\.exe'}, 'selection4': {'Image|re': '(?:powershell|wscript|cscript|mshta)\\.exe'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Potential LSASS Clone Creation via PssCaptureSnapShot |
Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access. More details
Rule IDQuery{'selection1': {'EventID': 4688}, 'selection2': {'Image': '?:\\Windows\\System32\\lsass.exe'}, 'selection3': {'ParentImage': '?:\\Windows\\System32\\lsass.exe'}, 'condition': 'selection1 and selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Powershell Process Created by webserver process |
A webserver process has created a Powershell session. This could be the result of a successful exploitation of the webserver or the installation of a webshell. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'powershell.exe'}, 'selection4': {'ParentImage|contains': 'w3wp.exe'}, 'selection5': {'ParentImage|contains': 'httpd.exe'}, 'selection6': {'ParentImage|contains': 'tomcat6.exe'}, 'selection7': {'ParentImage|contains': 'nginx.exe'}, 'selection8': {'ParentImage|contains': 'php-cgi.exe'}, 'selection9': {'ParentImage|contains': 'tomcat.exe'}, 'condition': 'selection2 and selection3 and (selection4 or selection5 or selection6 or selection7 or selection8 or selection9)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Process Execution Using pcwutl.dll |
A process has been launched using the pcwutl.dll library. This can indicate an attacker is trying to bypass whitelisting technologies. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\rundll32.exe'}, 'selection4': {'ParentCommandLine|contains': 'pcwutl.dll'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows Hacking Tool Detected |
A common hacking tool was detected being used on this machine. While hacking tools can be used for System diagnostics during routine maintenance it is also a common indicator of malware performing additional reconnaissance or privilege escalation. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|re': '\\\\(?:(?:(?:win32dd|win64dd|wce|mailpv|rdpv|logreader|netpass|iepv|routerpass|pstpass|vncpass|mspass)\\.exe)|WebBrowserPassView|VNCPassView|Cachedump|Fgdump|gsecdump|Lslsass|mimikatz|pwdump|getlsasrvaddr|timestomp|BulletsPassView|WebBrowserPassView|WirelessKeyView|Chromepass|dialupass|lookpass|Fluxay5Beta1|pstpassword|OperaPassView|routerpassview|PasswordFox)'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Executable launched using Windows PresentationHost tool |
Windows Presentation Foundation Host (PresentationHost.exe) enables applications to be hosted in compatible browsers. This tool can bypass code integrity enforcement in Windows Defender Application Control. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\PresentationHost.exe'}, 'selection4': {'Image|re': '\\\\(?:iexplore|chrome|firefox)\\.exe'}, 'condition': 'selection2 and selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Executable Launched from System Volume Information |
Running executables from the System Volume Information folder is a common technique used by malware in order to hide itself. This could be an indication of malicious activity. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': ':\\System Volume Information\\'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Powershell Process Created by Office Excel |
A Powershell process has been created by Microsoft Office Excel. This can indicate a malicious document containing a macro or an exploit has been opened by the user. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': 'EXCEL.EXE'}, 'selection4': {'Image|contains': 'powershell.exe'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Detected scripting process spawned by WinRAR |
A scripting process executed with wscript.exe, cscript.exe or mshta.exe was directly executed from WinRAR. This behavior is commonly executed by packed malware. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\WinRAR.exe'}, 'selection4': {'Image|re': '\\\\(wscript|cscript|mshta)\\.exe$'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
RDP process spawning a suspicious process |
An unauthenticated attacker could connect to the target system using RDP and send specially crafted requests. This vulnerability could execute arbitrary code on the target system. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\svchost.exe'}, 'selection4': {'ParentCommandLine|contains': 'svchost.exe -k termsvcs'}, 'selection5': {'Image|contains': '\\rdpclip.exe'}, 'condition': 'selection2 and selection3 and selection4 and not selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows UAC bypass - UACME tool |
User Account Control Bypass activity was detected. This can be due to either a regular operation or because an attacker is trying to escalate privileges. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\dism.exe'}, 'selection4': {'ParentCommandLine|contains': '.xml'}, 'selection5': {'Image|re': '\\\\appdata\\\\.*\\\\dismhost\\.exe'}, 'selection6': {'Image|contains': '\\wusa.exe'}, 'selection7': {'CommandLine|contains': '/quiet'}, 'selection8': {'ParentImage|contains': '\\explorer.exe'}, 'selection10': {'ParentImage|contains': 'dccw.exe'}, 'selection11': {'ParentImage|contains': '\\slui.exe'}, 'condition': 'selection2 and ((selection3 and selection4 and not selection5) or (selection6 and selection7 and not selection8) or selection10 or selection11)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
MS Exchange transport agent backdoor |
Transport agents let you install custom software on an Exchange server. This could be used by malware to gain persistence and install backdoors. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\EdgeTransport.exe'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Executable launched using Synaptics Touchpad Enhancements tool |
Synaptics Touchpad Enhancements utility allows you to run binaries in the system. This tool can bypass code integrity enforcement in Windows Defender Application Control. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\SynTPEnh.exe'}, 'selection4': {'ParentCommandLine|contains': '/SHELLEXEC'}, 'selection5': {'Image|contains': '\\SynTPHelper.exe'}, 'selection6': {'Image|contains': '\\WerFault.exe'}, 'condition': 'selection2 and selection3 and selection4 and not (selection5 or selection6)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
SharPyShell Process Execution Detected |
SharPyShell is a known hacking tool that is able to deploy a shell into the ASP.NET server. This shell can be controlled remotely from a malicious server. A process with these characteristics has been detected, what is an indicator of compromise by SharPyShell. More details
Rule IDQuery{'selection2': {'EventID': 4688}, 'selection3': {'SubjectDomainName': 'IIS APPPOOL'}, 'selection4': {'SubjectUserName': 'sharpy'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Process Created by mshta.exe |
A suspicious process process has been created by mshta.exe. This can indicate an attacker is using built-in Windows functionality to perform malicious activity. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\mshta.exe'}, 'selection4': {'Image|re': '\\\\(?:powershell|(?:w|c)script|cmd)\\.exe'}, 'selection5': {'CurrentDirectory|re': '(?:\\\\Program Files(?:\\(x86\\))?|\\\\PROGRA~(?:1|2))'}, 'condition': 'selection2 and selection3 and selection4 and not selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Java Process Spawning WMIC |
The wmic.exe process was executed by Java Software. This could be an indication of malicious activity. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|re': '\\\\java[w]?\\.exe'}, 'selection4': {'Image|contains': '\\wmic.exe'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Process Spawning Fodhelper |
A process has spawned Fodhelper.exe. There is a known UAC bypass that can be used to escalate privileges. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|re': '\\\\(?:powershell|(?:w|c)script|cmd)\\.exe'}, 'selection4': {'ParentImage|contains': '\\fodhelper.exe'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Executable Launched from Recycle Bin |
Running executables from the Recycle Bin folder is a common technique used by malware in order to hide itself. This could be an indication of malicious activity. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': ':\\$Recycle.Bin\\'}, 'selection4': {'Image|contains': ':\\Recycler\\'}, 'condition': 'selection2 and (selection3 or selection4)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Process Created by Notepad or Calculator |
A potentially suspicious process was started by either Notepad or Calculator. This could be the result of malicious file being opened by the user or a proof-of-concept being tested. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\NOTEPAD.EXE'}, 'selection4': {'Image|re': '\\\\(?:notepad|ctfmon|Microsoft\\.Uev\\.SyncController)\\.exe'}, 'selection5': {'CommandLine|contains': '\\DRIVERS\\'}, 'selection6': {'ParentImage|contains': '\\CALC.EXE'}, 'selection7': {'Image|contains': 'CALC.EXE'}, 'selection8': {'Image|contains': ':\\Program Files'}, 'selection9': {'Image|contains': '":\\Windows\\splwow64.exe"'}, 'condition': 'selection2 and ((selection3 and not (selection4 or selection5)) or (selection6 and not selection7)) and not (selection8 or selection9)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Process Created by Microsoft Office Application |
A potentially suspicious process was started by a Microsoft Office application. This can indicate a malicious document containing a macro or an exploit has been opened by the user. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|re': '(?:winword|excel|powerpnt|msaccess|infopath)\\.exe'}, 'selection6': {'Image|re': '(?:cmd|svchost|wscript|notepad|rundll32|schtasks|ntvdm|bitsadmin|msiexec|regsvr32|certutil|mshta|[A-Z]:\\\\Users\\\\.*)\\.exe$'}, 'selection4': {'Image|contains': '\\AppData\\'}, 'selection5': {'CommandLine|contains': '\\DRIVERS\\'}, 'condition': 'selection2 and selection3 and selection6 and not (selection4 or selection5)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows mofcomp with suspicious file extension |
The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers could use this tool to compile malicious WMI classes. More details
Rule IDQuery{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image': '\\mofcomp.exe'}, 'selection5': {'CommandLine|re': '\\.mof'}, 'condition': 'selection2 and selection3 and not selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|