Suspicious Process Parents

Severity: high
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects suspicious parent processes that should not have any children or should only have a single possible child program

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1036` Masquerading

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `selection`

or:
ParentImage|endswith: '\bitsadmin.exe'
ParentImage|endswith: '\minesweeper.exe'
ParentImage|endswith: '\winver.exe'

Stage 2: `selection_special`

or:
ParentImage|endswith: '\calc.exe'
ParentImage|endswith: '\certutil.exe'
ParentImage|endswith: '\csrss.exe'
ParentImage|endswith: '\eventvwr.exe'
ParentImage|endswith: '\notepad.exe'

Stage 3: `not 1 of filter_*`

or:
Image|endswith: '\WerFault.exe'
Image|endswith: '\conhost.exe'
Image|endswith: '\mmc.exe'
Image|endswith: '\notepad.exe'
Image|endswith: '\wermgr.exe'
Image|endswith: '\win32calc.exe'
Image: null

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\WerFault.exe` corpus 8 (sigma 8) `\conhost.exe` corpus 7 (sigma 7) `\mmc.exe` corpus 6 (sigma 6) `\notepad.exe` corpus 11 (sigma 11) `\wermgr.exe` corpus 3 (sigma 3) `\win32calc.exe`
`ParentImage`	ends_with	`\bitsadmin.exe` `\calc.exe` `\certutil.exe` `\csrss.exe` corpus 3 (sigma 3) `\eventvwr.exe` corpus 2 (sigma 2) `\minesweeper.exe` `\notepad.exe` `\winver.exe`