Suspicious Process Creation CallTrace

Author: Elastic
Source: upstream

Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1055` Process Injection, `T1055.012` Process Injection: Process Hollowing
Defense Evasion	`T1055` Process Injection, `T1055.012` Process Injection: Process Hollowing

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	10	ProcessAccess

Stages and Predicates

Stage 1: `eql:process`

not (process.args:(12288 or 8192) and process.executable:"?:\\Windows\\splwow64.exe" and process.parent.name:"winword.exe") and not (process.executable:"?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe" and process.parent.name:"winword.exe") and not (process.executable:"?:\\Program Files\\Microsoft Office\\root\\Office*\\ADDINS\\*.exe" and process.parent.name:"EXCEL.EXE") and not (process.parent.args:"?:\\Program Files\\*" and process.parent.name:"regsvr32.exe") and not (process.parent.args:"?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc" and process.parent.name:"rundll32.exe") and process.parent.name:"winword.exe"

Stage 2: `eql:process`

winlog.event_data.CallTrace:"UNKNOWN"

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`Image`	eq	`?:\Windows\splwow64.exe`
2	`parent_process_name`	eq	`winword.exe`, `excel.exe`, `outlook.exe`, `powerpnt.exe`
3	`process.args`	in	`12288`, `8192`
4	`Image`	wildcard	`?:\Program Files (x86)\Microsoft\EdgeWebView\Application\*\msedgewebview2.exe`, `?:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe`, `?:\Windows\SysWOW64\DWWIN.EXE`
5	`parent_process_name`	eq	`winword.exe`, `excel.exe`, `outlook.exe`, `powerpnt.exe`
6	`Image`	wildcard	`?:\Program Files\Microsoft Office\root\Office\ADDINS\.exe`
7	`parent_process_name`	eq	`EXCEL.EXE`
8	`parent_process_name`	eq	`regsvr32.exe`
9	`process.parent.args`	starts_with	`?:\Program Files\`, `?:\Program Files (x86)\`
10	`parent_process_name`	eq	`rundll32.exe`
11	`process.parent.args`	wildcard	`?:\WINDOWS\Installer\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc`, `--no-sandbox`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`process.parent.name`	wildcard	`cmstp.exe` `cscript.exe` `eqnedt32.exe` `excel.exe` `fltldr.exe` `msaccess.exe` `mshta.exe` `mspub.exe` `msxsl.exe` `outlook.exe` `powerpnt.exe` `regsvr32.exe` `rundll32.exe` `winword.exe` `wmic.exe` `wscript.exe`
`winlog.event_data.CallTrace`	wildcard	`UNKNOWN` corpus 2 (elastic 2)