Detectionmediumtest
Elevated System Shell Spawned From Uncommon Parent Location
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Tim Shelton (update fp)Created Mon Dec 05Updated Thu Mar 06178e615d-e666-498b-9630-9ed363038101windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic8 selectors
detection:
selection_shell:
- Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\cmd.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'powershell_ise.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
selection_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
LogonId: '0x3e7'
filter_main_generic:
# Example 1:
# C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers []
# Example 2:
# ParentImage: C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe" /appid 000000ad-cb03-500b-9459-c46d000000ad
# CommandLine: C:\Windows\system32\cmd.exe /c C:\Program Files "(x86)\Varonis\DatAdvantage\GridCollector\handle_scopes.cmd C:\Collector" Working Share\VaronisWorkDirectoryCollector
ParentImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\ProgramData\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\Temp\' # Installers
- ':\Windows\WinSxS\'
filter_optional_manageengine:
# Example:
# ParentImage: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380
# CommandLine: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA)
ParentImage|endswith: ':\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe'
Image|endswith: '\cmd.exe'
filter_optional_asgard:
CommandLine|contains: ':\WINDOWS\system32\cmd.exe /c "'
CurrentDirectory|contains: ':\WINDOWS\Temp\asgard2-agent\'
filter_optional_ibm_spectrumprotect:
ParentImage|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
CommandLine|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
filter_main_parent_null:
ParentImage: null
filter_main_parent_empty:
ParentImage:
- ''
- '-'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Some legitimate applications may spawn shells from uncommon parent locations. Apply additional filters and perform an initial baseline before deploying.
References
MITRE ATT&CK
Rule Metadata
Rule ID
178e615d-e666-498b-9630-9ed363038101
Status
test
Level
medium
Type
Detection
Created
Mon Dec 05
Modified
Thu Mar 06
Path
rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml
Raw Tags
attack.privilege-escalationattack.defense-evasionattack.executionattack.t1059