From a9c7fe202ea4809bbb011b51ff00a52c1dcb4ffa Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 9 Apr 2018 08:37:16 +0200
Subject: [PATCH] Rule: Windows shell spawning suspicious program

---
 .../sysmon_shell_spawn_susp_program.yml       | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml

diff --git a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml
new file mode 100644
index 000000000..20a5fab3d
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml
@@ -0,0 +1,34 @@
+title: Windows Shell Spawning Suspicious Program
+status: experimental
+description: Detects a suspicious child process of a Windows shell
+references:
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Florian Roth
+date: 20018/04/06
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage:
+            - '*\mshta.exe'
+            - '*\powershell.exe'
+            - '*\cmd.exe'
+            - '*\rundll32.exe'
+            - '*\cscript.exe'
+            - '*\wscript.exe'
+            - '*\wmiprvse.exe'
+        Image:
+            - '*\schtasks.exe'
+            - '*\nslookup.exe'
+            - '*\certutil.exe'
+            - '*\bitsadmin.exe'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Administrative scripts
+level: medium
+