SigmaHQ/rules/windows/process_creation/win_susp_powershell_parent_process.yml

title: Suspicious PowerShell Parent Process
id: 754ed792-634f-40ae-b3bc-e0448d33f695
description: Detects a suspicious parents of powershell.exe
status: experimental
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
author: Teymur Kheirkhabarov, Harish Segar (rule)
date: 2020/03/20
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086      # an old one   
logsource:
    category: process_creation
    product: windows
detection:
    selection_image1:
        - ParentImage|endswith:
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\regsvr32.exe'
            - '\services.exe'
            - '\winword.exe'
            - '\wmiprvse.exe'
            - '\powerpnt.exe'
            - '\excel.exe'
            - '\msaccess.exe'
            - '\mspub.exe'
            - '\visio.exe'
            - '\outlook.exe'
            - '\amigo.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\iexplore.exe'
            - '\microsoftedgecp.exe'
            - '\microsoftedge.exe'
            - '\browser.exe'
            - '\vivaldi.exe'
            - '\safari.exe'
            - '\sqlagent.exe'
            - '\sqlserver.exe'
            - '\sqlservr.exe'
            - '\w3wp.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\jbosssvc.exe'
            - "MicrosoftEdgeSH.exe"
        - ParentImage|contains: "tomcat"
    selection_powershell:
        - CommandLine|contains:
              - "powershell"
              - "pwsh"
        - Description: "Windows PowerShell"
        - Product: "PowerShell Core 6"
    condition: all of them
falsepositives:
    - Other scripts
level: medium