LoFP LoFP / some security products seem to spawn these

Techniques

Sample rules

Windows Processes Suspicious Parent Directory

Description

Detect suspicious parent processes of well-known Windows processes

Detection logic

condition: selection and not 1 of filter_*
filter_msmpeng:
  ParentImage|contains:
  - \Windows Defender\
  - \Microsoft Security Client\
  ParentImage|endswith: \MsMpEng.exe
filter_null:
- ParentImage: null
- ParentImage: '-'
filter_sys:
- ParentImage|endswith:
  - \SavService.exe
  - \ngen.exe
- ParentImage|contains:
  - \System32\
  - \SysWOW64\
selection:
  Image|endswith:
  - \svchost.exe
  - \taskhost.exe
  - \lsm.exe
  - \lsass.exe
  - \services.exe
  - \lsaiso.exe
  - \csrss.exe
  - \wininit.exe
  - \winlogon.exe