From 0bc9b126f62999dfe8c3149d96c2abfc0e067be8 Mon Sep 17 00:00:00 2001 From: Hilton Date: Thu, 14 Sep 2023 02:51:07 +1000 Subject: [PATCH] Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity (#3091) * Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server" as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour. * simplified detection logic by utilising process.parent.args --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> (cherry picked from commit ccfc931fbd047606f6651d6739d62288309b97b8) --- .../execution_command_shell_started_by_unusual_process.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index fd0b008d3..f5c6bef24 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -51,7 +51,8 @@ process where host.os.type == "windows" and event.type == "start" and "WerFault.exe", "WUDFHost.exe", "unsecapp.exe", - "wlanext.exe" ) + "wlanext.exe" ) and + not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}") '''