Techniques
Sample rules
Potentially Suspicious Child Process Of DiskShadow.EXE
- source: sigma
- technicques:
- t1218
Description
Detects potentially suspicious child processes of “Diskshadow.exe”. This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
Detection logic
condition: selection
selection:
Image|endswith:
- \certutil.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
ParentImage|endswith: \diskshadow.exe