From 81b277ba1a6f4c7a8ca7ebb376630014869ef245 Mon Sep 17 00:00:00 2001
From: Harish SEGAR <segharish@gmail.com>
Date: Sat, 21 Mar 2020 00:26:30 +0100
Subject: [PATCH] suspicious powershell parent process...

---
 .../win_susp_powershell_parent_process.yml    | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_powershell_parent_process.yml

diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
new file mode 100644
index 00000000..aa774aa1
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
@@ -0,0 +1,64 @@
+title: Suspicious PowerShell parent process
+id: 754ed792-634f-40ae-b3bc-e0448d33f695
+description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
+status: experimental
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
+author: Teymur Kheirkhabarov, Harish Segar (rule)
+date: 2020/03/20
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+
+    selection_image1:
+        ParentImage|endswith:
+            - '\mshta.exe'
+            - '\rundll32.exe'
+            - '\regsvr32.exe'
+            - '\services.exe'
+            - '\winword.exe'
+            - '\wmiprvse.exe'
+            - '\powerpnt.exe'
+            - '\excel.exe'
+            - '\msaccess.exe'
+            - '\mspub.exe'
+            - '\visio.exe'
+            - '\outlook.exe'
+            - '\amigo.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+            - '\iexplore.exe'
+            - '\microsoftedgecp.exe'
+            - '\microsoftedge.exe'
+            - '\browser.exe'
+            - '\vivaldi.exe'
+            - '\safari.exe'
+            - '\sqlagent.exe'
+            - '\sqlserver.exe'
+            - '\sqlservr.exe'
+            - '\w3wp.exe'
+            - '\httpd.exe'
+            - '\nginx.exe'
+            - '\php-cgi.exe'
+            - '\jbosssvc.exe'
+            - 'MicrosoftEdgeSH.exe'
+    selection_image2:
+        ParentImage|contains: 'tomcat'
+
+    filters:
+        CommandLine|contains:
+            - 'powershell'
+            - 'pwsh'
+        Description: 'Windows PowerShell'
+        Product: 'PowerShell Core 6'
+
+    condition: selection and (1 of selection_image*) and (1 of filters)
+falsepositives:
+    - Unkown
+level: high
\ No newline at end of file