title: Suspicious Sysmon as Execution Parent
id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3
status: experimental
description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
    - https://twitter.com/filip_dragovic/status/1590052248260055041
    - https://twitter.com/filip_dragovic/status/1590104354727436290
author: Florian Roth, Tim Shelton (fp werfault)
date: 2022/11/10
modified: 2022/12/30
tag:
    - attack.privilege_escalation
    - attack.t1068
    - cve.2022.41120
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith:
            - '\Sysmon.exe'
            - '\Sysmon64.exe'
    filter:
        - Image:
            - 'C:\Windows\Sysmon.exe'
            - 'C:\Windows\Sysmon64.exe'
            - 'C:\Windows\System32\conhost.exe'
            - 'wevtutil.exe'
            - 'C:\WINDOWS\system32\wevtutil.exe'
            - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes
        - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
    condition: selection and not filter
falsepositives:
    - Unknown
level: high