detection.wiki

Detection rules › Sigma

Potentially Suspicious Child Process Of DiskShadow.EXE

Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1218 System Binary Proxy Execution

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\certutil.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\regsvr32.exe'
Image|endswith: '\rundll32.exe'
Image|endswith: '\wscript.exe'
ParentImage|endswith: '\diskshadow.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \certutil.exe corpus 34 (sigma 34)
  • \cscript.exe corpus 64 (sigma 64)
  • \mshta.exe corpus 57 (sigma 57)
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
  • \regsvr32.exe corpus 57 (sigma 57)
  • \rundll32.exe corpus 76 (sigma 76)
  • \wscript.exe corpus 64 (sigma 64)
ParentImageends_with
  • \diskshadow.exe