Windows Processes Suspicious Parent Directory

Severity: low
Author: vburov
Source: upstream

Detect suspicious parent processes of well-known Windows processes

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1036.003` Masquerading: Rename Legitimate Utilities, `T1036.005` Masquerading: Match Legitimate Resource Name or Location

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `selection`

or:
Image|endswith: '\csrss.exe'
Image|endswith: '\lsaiso.exe'
Image|endswith: '\lsass.exe'
Image|endswith: '\lsm.exe'
Image|endswith: '\services.exe'
Image|endswith: '\svchost.exe'
Image|endswith: '\taskhost.exe'
Image|endswith: '\wininit.exe'
Image|endswith: '\winlogon.exe'

Stage 2: `not 1 of filter_*`

or:
or:
ParentImage|contains: '\Microsoft Security Client\'
ParentImage|contains: '\Windows Defender\'
ParentImage|endswith: '\MsMpEng.exe'
ParentImage|endswith: '\SavService.exe'
ParentImage|endswith: '\ngen.exe'
ParentImage: ''
ParentImage: -
ParentImage: null
ParentImage|contains: '\SysWOW64\'
ParentImage|contains: '\System32\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\csrss.exe` corpus 3 (sigma 3) `\lsaiso.exe` `\lsass.exe` corpus 5 (sigma 5) `\lsm.exe` corpus 2 (sigma 2) `\services.exe` corpus 3 (sigma 3) `\svchost.exe` corpus 20 (sigma 20) `\taskhost.exe` corpus 2 (sigma 2) `\wininit.exe` corpus 3 (sigma 3) `\winlogon.exe` corpus 5 (sigma 5)
`ParentImage`	ends_with	`\MsMpEng.exe` corpus 3 (sigma 3) `\SavService.exe` `\ngen.exe` corpus 2 (sigma 2)
`ParentImage`	eq	`-` corpus 5 (sigma 5)
`ParentImage`	match	`\Microsoft Security Client\` `\SysWOW64\` `\System32\` `\Windows Defender\`