Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

Potentially Suspicious PowerShell Child Processes

Detects potentially suspicious child processes spawned by PowerShell. Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Tim SheltonCreated Tue Apr 26Updated Tue Jul 16e4b6d2a7-d8a4-4f19-acbd-943c16d90647windows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection:
        ParentImage|endswith:
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith:
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\certutil.exe'
            - '\cscript.exe'
            - '\forfiles.exe'
            - '\hh.exe'
            - '\mshta.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\scrcons.exe'
            - '\scriptrunner.exe'
            - '\sh.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    filter_optional_amazon:
        ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
        CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
    filter_main_certutil_verify_store:
        Image|endswith: '\certutil.exe'
        CommandLine|contains: '-verifystore '
    filter_main_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains:
            - 'qfe list'
            - 'diskdrive '
            - 'csproduct '
            - 'computersystem '
            - ' os '
            - ''
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts.

References
1
Resolving title…
twitter.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
e4b6d2a7-d8a4-4f19-acbd-943c16d90647
Status
test
Level
medium
Type
Threat Hunt
Created
Tue Apr 26
Modified
Tue Jul 16
Author
Florian Roth (Nextron Systems), Tim Shelton
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml
Raw Tags
attack.executionattack.t1059.001detection.threat-hunting
View on GitHub