Detectionhightest
Suspicious PowerShell Parent Process
Detects a suspicious or uncommon parent processes of PowerShell
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Teymur Kheirkhabarov, Harish SegarCreated Fri Mar 20Updated Sat Feb 04754ed792-634f-40ae-b3bc-e0448d33f695windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_parent:
- ParentImage|contains: 'tomcat'
- ParentImage|endswith:
- '\amigo.exe'
- '\browser.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\httpd.exe'
- '\iexplore.exe'
- '\jbosssvc.exe'
- '\microsoftedge.exe'
- '\microsoftedgecp.exe'
- '\MicrosoftEdgeSH.exe'
- '\mshta.exe'
- '\nginx.exe'
- '\outlook.exe'
- '\php-cgi.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\safari.exe'
- '\services.exe'
- '\sqlagent.exe'
- '\sqlserver.exe'
- '\sqlservr.exe'
- '\vivaldi.exe'
- '\w3wp.exe'
selection_powershell:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- CommandLine|contains:
- '/c powershell' # FPs with sub processes that contained "powershell" somewhere in the command line
- '/c pwsh'
- Description: 'Windows PowerShell'
- Product: 'PowerShell Core 6'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
condition: all of selection_*False Positives
Other scripts
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
754ed792-634f-40ae-b3bc-e0448d33f695
Status
test
Level
high
Type
Detection
Created
Fri Mar 20
Modified
Sat Feb 04
Author
Path
rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml
Raw Tags
attack.executionattack.t1059.001