some legitimate applications may spawn shells from uncommon parent locations. apply additional filters and perform an initial baseline before deploying.

Techniques

t1059

Sample rules

Elevated System Shell Spawned From Uncommon Parent Location

source: sigma
technicques:
- t1059

Description

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

Detection logic

condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  ParentImage|contains:
  - :\Program Files (x86)\
  - :\Program Files\
  - :\ProgramData\
  - :\Windows\System32\
  - :\Windows\SysWOW64\
  - :\Windows\Temp\
  - :\Windows\WinSxS\
filter_main_parent_empty:
  ParentImage:
  - ''
  - '-'
filter_main_parent_null:
  ParentImage: null
filter_optional_asgard:
  CommandLine|contains: :\WINDOWS\system32\cmd.exe /c "
  CurrentDirectory|contains: :\WINDOWS\Temp\asgard2-agent\
filter_optional_ibm_spectrumprotect:
  CommandLine|contains: :\IBM\SpectrumProtect\webserver\scripts\
  ParentImage|contains: :\IBM\SpectrumProtect\webserver\scripts\
filter_optional_manageengine:
  Image|endswith: \cmd.exe
  ParentImage|endswith: :\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe
selection_shell:
- Image|endswith:
  - \powershell.exe
  - \powershell_ise.exe
  - \pwsh.exe
  - \cmd.exe
- OriginalFileName:
  - PowerShell.EXE
  - powershell_ise.EXE
  - pwsh.dll
  - Cmd.Exe
selection_user:
  LogonId: '0x3e7'
  User|contains:
  - AUTHORI
  - AUTORI