title: Windows Processes Suspicious Parent Directory id: 96036718-71cc-4027-a538-d1587e0006a7 status: experimental description: Detect suspicious parent processes of well-known Windows processes author: vburov references: - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf - https://attack.mitre.org/techniques/T1036/ date: 2019/02/23 modified: 2020/09/06 tags: - attack.defense_evasion - attack.t1036 # an old one - attack.t1036.003 - attack.t1036.005 logsource: category: process_creation product: windows detection: selection: Image: - '*\svchost.exe' - '*\taskhost.exe' - '*\lsm.exe' - '*\lsass.exe' - '*\services.exe' - '*\lsaiso.exe' - '*\csrss.exe' - '*\wininit.exe' - '*\winlogon.exe' filter: ParentImage: - '*\System32\\*' - '*\SysWOW64\\*' - '*\SavService.exe' - '*\Windows Defender\\*\MsMpEng.exe' filter_null: ParentImage: null condition: selection and not filter and not filter_null falsepositives: - Some security products seem to spawn these level: low