Merge pull request #867 from HarishHary/suspicious_powershell_parent_process

New Rule: Suspicious powershell parent process

rules/windows/process_creation/win_susp_powershell_parent_process.yml

@@ -0,0 +1,58 @@
+title: Suspicious PowerShell Parent Process
+id: 754ed792-634f-40ae-b3bc-e0448d33f695
+description: Detects a suspicious parents of powershell.exe
+status: experimental
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
+author: Teymur Kheirkhabarov, Harish Segar (rule)
+date: 2020/03/20
+tags:
+    - attack.execution
+    - attack.t1086
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_image1:
+        - ParentImage|endswith:
+            - '\mshta.exe'
+            - '\rundll32.exe'
+            - '\regsvr32.exe'
+            - '\services.exe'
+            - '\winword.exe'
+            - '\wmiprvse.exe'
+            - '\powerpnt.exe'
+            - '\excel.exe'
+            - '\msaccess.exe'
+            - '\mspub.exe'
+            - '\visio.exe'
+            - '\outlook.exe'
+            - '\amigo.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+            - '\iexplore.exe'
+            - '\microsoftedgecp.exe'
+            - '\microsoftedge.exe'
+            - '\browser.exe'
+            - '\vivaldi.exe'
+            - '\safari.exe'
+            - '\sqlagent.exe'
+            - '\sqlserver.exe'
+            - '\sqlservr.exe'
+            - '\w3wp.exe'
+            - '\httpd.exe'
+            - '\nginx.exe'
+            - '\php-cgi.exe'
+            - '\jbosssvc.exe'
+            - "MicrosoftEdgeSH.exe"
+        - ParentImage|contains: "tomcat"
+    selection_powershell:
+        - CommandLine|contains:
+              - "powershell"
+              - "pwsh"
+        - Description: "Windows PowerShell"
+        - Product: "PowerShell Core 6"
+    condition: all of them
+falsepositives:
+    - Other scripts
+level: medium