frack113
61 lines
1.5 KiB
YAML
61 lines
1.5 KiB
YAML
title: Suspicious PowerShell Parent Process
|
|
id: 754ed792-634f-40ae-b3bc-e0448d33f695
|
|
status: test
|
|
description: Detects a suspicious parents of powershell.exe
|
|
author: Teymur Kheirkhabarov, Harish Segar (rule)
|
|
references:
|
|
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
|
|
date: 2020/03/20
|
|
modified: 2021/11/27
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_image1:
|
|
- ParentImage|endswith:
|
|
- '\mshta.exe'
|
|
- '\rundll32.exe'
|
|
- '\regsvr32.exe'
|
|
- '\services.exe'
|
|
- '\winword.exe'
|
|
- '\wmiprvse.exe'
|
|
- '\powerpnt.exe'
|
|
- '\excel.exe'
|
|
- '\msaccess.exe'
|
|
- '\mspub.exe'
|
|
- '\visio.exe'
|
|
- '\outlook.exe'
|
|
- '\amigo.exe'
|
|
- '\chrome.exe'
|
|
- '\firefox.exe'
|
|
- '\iexplore.exe'
|
|
- '\microsoftedgecp.exe'
|
|
- '\microsoftedge.exe'
|
|
- '\browser.exe'
|
|
- '\vivaldi.exe'
|
|
- '\safari.exe'
|
|
- '\sqlagent.exe'
|
|
- '\sqlserver.exe'
|
|
- '\sqlservr.exe'
|
|
- '\w3wp.exe'
|
|
- '\httpd.exe'
|
|
- '\nginx.exe'
|
|
- '\php-cgi.exe'
|
|
- '\jbosssvc.exe'
|
|
- "MicrosoftEdgeSH.exe"
|
|
- ParentImage|contains: "tomcat"
|
|
selection_powershell:
|
|
- CommandLine|contains:
|
|
- "powershell"
|
|
- "pwsh"
|
|
- Description: "Windows PowerShell"
|
|
- Product: "PowerShell Core 6"
|
|
condition: all of them
|
|
falsepositives:
|
|
- Other scripts
|
|
level: high
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086 # an old one
|