Potential Executable Run Itself As Sacrificial Process
Detects when an executable launches an identical instance of itself, a behavior often used to create a suspended “sacrificial” process for code injection or evasion. Investigate for indicators such as the process being started in suspended mode, rapid parent termination, memory manipulation (e.g., WriteProcessMemory, CreateRemoteThread), or unsigned binaries. Review command-line arguments, process ancestry, and network activity to confirm if this is legitimate behavior or process injection activity.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
Image|fieldref: ParentImage
filter_main_path:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_original_fn:
OriginalFileName:
- 'Cmd.Exe'
- 'CompatTelRunner.exe'
- 'Discord.exe'
- 'electron.exe' # Vs Code
- 'EXPLORER.EXE'
- 'httpd.exe'
- 'IE4UINIT.EXE'
- 'mmc.exe'
- 'MpCmdRun.exe'
- 'mscorsvw.exe'
- 'msiexec.exe'
- 'NGenTask.exe'
- 'OneDriveSetup.exe'
- 'PowerShell.EXE'
- 'REGSVR32.EXE'
- 'smss.exe'
- 'Spotify.exe'
- 'WerMgr'
filter_main_product:
Product:
- 'Avira'
- 'Evernote'
- 'Firefox'
- 'Microsoft Office'
- 'Ninite'
- 'Opera Browser Assistant Installer'
- 'Opera Installer'
- 'Sysinternals Sysmon'
condition: selection and not 1 of filter_*Legitimate software that may launch a new instance of itself, especially updaters or installers. Investigate each alert and apply whitelisting as needed.
Techniques
Other