Detectionlowtest
Windows Processes Suspicious Parent Directory
Detect suspicious parent processes of well-known Windows processes
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection:
Image|endswith:
- '\svchost.exe'
- '\taskhost.exe'
- '\lsm.exe'
- '\lsass.exe'
- '\services.exe'
- '\lsaiso.exe'
- '\csrss.exe'
- '\wininit.exe'
- '\winlogon.exe'
filter_sys:
- ParentImage|endswith:
- '\SavService.exe'
- '\ngen.exe'
- ParentImage|contains:
- '\System32\'
- '\SysWOW64\'
filter_msmpeng:
ParentImage|contains:
- '\Windows Defender\'
- '\Microsoft Security Client\'
ParentImage|endswith: '\MsMpEng.exe'
filter_null:
- ParentImage: null
- ParentImage:
- ''
- '-'
condition: selection and not 1 of filter_*False Positives
Some security products seem to spawn these
MITRE ATT&CK
Rule Metadata
Rule ID
96036718-71cc-4027-a538-d1587e0006a7
Status
test
Level
low
Type
Detection
Created
Sat Feb 23
Modified
Thu Mar 06
Author
Path
rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml
Raw Tags
attack.defense-evasionattack.t1036.003attack.t1036.005