[metadata] creation_date = "2020/08/21" integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/06/22" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process." from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : "cmd.exe" and process.parent.name : ("lsass.exe", "csrss.exe", "epad.exe", "regsvr32.exe", "dllhost.exe", "LogonUI.exe", "wermgr.exe", "spoolsv.exe", "jucheck.exe", "jusched.exe", "ctfmon.exe", "taskhostw.exe", "GoogleUpdate.exe", "sppsvc.exe", "sihost.exe", "slui.exe", "SIHClient.exe", "SearchIndexer.exe", "SearchProtocolHost.exe", "FlashPlayerUpdateService.exe", "WerFault.exe", "WUDFHost.exe", "unsecapp.exe", "wlanext.exe" ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"