SigmaHQ/rules/windows/process_creation/win_shell_spawn_susp_program.yml
2020-10-15 18:25:59 -03:00

46 lines
1.2 KiB
YAML

title: Windows Shell Spawning Suspicious Program
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: experimental
description: Detects a suspicious child process of a Windows shell
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth
date: 2018/04/06
modified: 2020/09/06
tags:
- attack.execution
- attack.defense_evasion
- attack.t1064 # an old one
- attack.t1059.005
- attack.t1059.001
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\mshta.exe'
- '\powershell.exe'
# - '*\cmd.exe' # too many false positives
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\wmiprvse.exe'
Image|endswith:
- '\schtasks.exe'
- '\nslookup.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\mshta.exe'
falsepositives:
CurrentDirectory|contains: '\ccmcache\\'
condition: selection and not falsepositives
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Administrative scripts
- Microsoft SCCM
level: high