diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml new file mode 100644 index 000000000..5c79b2b62 --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -0,0 +1,58 @@ +title: Suspicious PowerShell Parent Process +id: 754ed792-634f-40ae-b3bc-e0448d33f695 +description: Detects a suspicious parents of powershell.exe +status: experimental +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26 +author: Teymur Kheirkhabarov, Harish Segar (rule) +date: 2020/03/20 +tags: + - attack.execution + - attack.t1086 +logsource: + category: process_creation + product: windows +detection: + selection_image1: + - ParentImage|endswith: + - '\mshta.exe' + - '\rundll32.exe' + - '\regsvr32.exe' + - '\services.exe' + - '\winword.exe' + - '\wmiprvse.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\msaccess.exe' + - '\mspub.exe' + - '\visio.exe' + - '\outlook.exe' + - '\amigo.exe' + - '\chrome.exe' + - '\firefox.exe' + - '\iexplore.exe' + - '\microsoftedgecp.exe' + - '\microsoftedge.exe' + - '\browser.exe' + - '\vivaldi.exe' + - '\safari.exe' + - '\sqlagent.exe' + - '\sqlserver.exe' + - '\sqlservr.exe' + - '\w3wp.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' + - '\jbosssvc.exe' + - "MicrosoftEdgeSH.exe" + - ParentImage|contains: "tomcat" + selection_powershell: + - CommandLine|contains: + - "powershell" + - "pwsh" + - Description: "Windows PowerShell" + - Product: "PowerShell Core 6" + condition: all of them +falsepositives: + - Other scripts +level: medium