Transformed rule

I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs Fixed Typo Changes to title and description
2024-11-06 17:35:19 +00:00 · 2019-02-26 15:57:28 +01:00 · 2019-02-26 15:57:28 +01:00 · 378ba5b38f
commit 378ba5b38f
parent 8e6295e402
1 changed files with 12 additions and 13 deletions
--- a/rules/windows/builtin/win_proc_wrong_parent.yml
+++ b/rules/windows/builtin/win_proc_wrong_parent.yml
@ -1,6 +1,6 @@
-title: Windows processes with wrong parent
+title: Windows Processes Suspicious Parent
 status: experimental
-description: Detect scenarios when malicious program is disguised as legitimate process
+description: Detect suspicious parent processes of well-known Windows processes
 author: 'vburov'
 references:
    - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
@ -14,34 +14,33 @@ logsource:
    service: sysmon
    definition: 'Requirements: Sysmon'
 detection:
-    selection:
+    selection1:
        EventID: 1
-    filter1:
        Image:
            - '*\svchost.exe'
            - '*\taskhost.exe'
+    filter1:
        ParentImage:
            - '*\services.exe'
-    filter2:
+    selection2:
+        EventID: 1
        Image:
            - '*\lsm.exe'
            - '*\lsass.exe'
            - '*\services.exe'
+    filter2:
        ParentImage:
            - '*\wininit.exe'
-    filter3:
+    selection3:
+        EventID: 1
        Image:
            - '*\csrss.exe'
            - '*\wininit.exe'
            - '*\winlogon.exe'
+    filter3:
        ParentImage:
            - '*\smss.exe'
-    filter4:
-        Image:
-            - '*\explorer.exe'
-        ParentImage:
-            - '*\userinit.exe'
-    condition: selection and not ( filter1 or filter2 or filter3 or filter4 )
+    condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) or ( selection3 and not filter3 )
 falsepositives:
-    - None
+    - Unknown please report back
 level: high