EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious PowerShell Parent Process

Detects a suspicious or uncommon parent processes of PowerShell

MITRE ATT&CK

T1059.001
execution

Detection Query

selection_parent:
  - ParentImage|contains: tomcat
  - ParentImage|endswith:
      - \amigo.exe
      - \browser.exe
      - \chrome.exe
      - \firefox.exe
      - \httpd.exe
      - \iexplore.exe
      - \jbosssvc.exe
      - \microsoftedge.exe
      - \microsoftedgecp.exe
      - \MicrosoftEdgeSH.exe
      - \mshta.exe
      - \nginx.exe
      - \outlook.exe
      - \php-cgi.exe
      - \regsvr32.exe
      - \rundll32.exe
      - \safari.exe
      - \services.exe
      - \sqlagent.exe
      - \sqlserver.exe
      - \sqlservr.exe
      - \vivaldi.exe
      - \w3wp.exe
selection_powershell:
  - Image|endswith:
      - \powershell.exe
      - \pwsh.exe
  - CommandLine|contains:
      - /c powershell
      - /c pwsh
  - Description: Windows PowerShell
  - Product: PowerShell Core 6
  - OriginalFileName:
      - PowerShell.EXE
      - pwsh.dll
condition: all of selection_*

Author

Teymur Kheirkhabarov, Harish Segar

Created

2020-03-20

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.t1059.001
Raw Content
title: Suspicious PowerShell Parent Process
id: 754ed792-634f-40ae-b3bc-e0448d33f695
related:
    - id: 692f0bec-83ba-4d04-af7e-e884a96059b6
      type: derived
status: test
description: Detects a suspicious or uncommon parent processes of PowerShell
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
author: Teymur Kheirkhabarov, Harish Segar
date: 2020-03-20
modified: 2023-02-04
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        - ParentImage|contains: 'tomcat'
        - ParentImage|endswith:
              - '\amigo.exe'
              - '\browser.exe'
              - '\chrome.exe'
              - '\firefox.exe'
              - '\httpd.exe'
              - '\iexplore.exe'
              - '\jbosssvc.exe'
              - '\microsoftedge.exe'
              - '\microsoftedgecp.exe'
              - '\MicrosoftEdgeSH.exe'
              - '\mshta.exe'
              - '\nginx.exe'
              - '\outlook.exe'
              - '\php-cgi.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\safari.exe'
              - '\services.exe'
              - '\sqlagent.exe'
              - '\sqlserver.exe'
              - '\sqlservr.exe'
              - '\vivaldi.exe'
              - '\w3wp.exe'
    selection_powershell:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - CommandLine|contains:
              - '/c powershell'  # FPs with sub processes that contained "powershell" somewhere in the command line
              - '/c pwsh'
        - Description: 'Windows PowerShell'
        - Product: 'PowerShell Core 6'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    condition: all of selection_*
falsepositives:
    - Other scripts
level: high