diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_parent_run_itself.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_parent_run_itself.yml new file mode 100644 index 00000000000..1fc70217373 --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_parent_run_itself.yml @@ -0,0 +1,58 @@ +title: Potential Executable Run Itself As Scrificial Process +id: bafd07c6-3ea5-454a-b4be-058fbb073de7 +status: experimental +description: | + Detects an executable that executes himself. + The most common technique is to launch it in suspend mode so that you can inject into it. +references: + - https://www.joesandbox.com/analysis/1605063/0/html +author: frack113 +date: 2025-02-04 +tags: + - attack.defense-evasion + - attack.t1055 + - detection.threat-hunting +logsource: + category: process_creation + product: windows +detection: + selection: + Image|fieldref: ParentImage + filter_path: + Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + filter_original: + OriginalFileName: + - 'Cmd.Exe' + - 'CompatTelRunner.exe' + - 'Discord.exe' + - 'electron.exe' # Vs Code + - 'EXPLORER.EXE' + - 'httpd.exe' + - 'IE4UINIT.EXE' + - 'mmc.exe' + - 'MpCmdRun.exe' + - 'mscorsvw.exe' + - 'msiexec.exe' + - 'NGenTask.exe' + - 'OneDriveSetup.exe' + - 'PowerShell.EXE' + - 'REGSVR32.EXE' + - 'smss.exe' + - 'Spotify.exe' + - 'WerMgr' + filter_product: + Product: + - 'Avira' + - 'Evernote' + - 'Firefox' + - 'Microsoft Office' + - 'Ninite' + - 'Opera Browser Assistant Installer' + - 'Opera Installer' + - 'Sysinternals Sysmon' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: medium