← Library
sigmaDRL-1.1from SigmaHQ/sigma

Unusual Parent Process For Cmd.EXE

Detects suspicious parent process for cmd.exe

Quality
66
FP risk
Forks
0
Views
0
ATT&CK techniques
T1059
Rule sourcerules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml
title: Unusual Parent Process For Cmd.EXE
id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b
status: test
description: Detects suspicious parent process for cmd.exe
references:
    - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-21
modified: 2023-12-05
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\cmd.exe'
        ParentImage|endswith:
            - '\csrss.exe'
            - '\ctfmon.exe'
            - '\dllhost.exe'
            - '\epad.exe'
            - '\FlashPlayerUpdateService.exe'
            - '\GoogleUpdate.exe'
            - '\jucheck.exe'
            - '\jusched.exe'
            - '\LogonUI.exe'
            - '\lsass.exe'
            - '\regsvr32.exe'
            - '\SearchIndexer.exe'
            - '\SearchProtocolHost.exe'
            - '\SIHClient.exe'
            - '\sihost.exe'
            - '\slui.exe'
            - '\spoolsv.exe'
            - '\sppsvc.exe'
            - '\taskhostw.exe'
            - '\unsecapp.exe'
            - '\WerFault.exe'
            - '\wermgr.exe'
            - '\wlanext.exe'
            - '\WUDFHost.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium