ImagingDevices Unusual Parent/Child Processes

Hunt Hypothesis

Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity

Detection Rule

Sigma (Original)

title: ImagingDevices Unusual Parent/Child Processes
id: f11f2808-adb4-46c0-802a-8660db50fa99
status: test
description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
references:
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
modified: 2022-12-29
tags:
    - attack.execution
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            # Add more if known
            - \WmiPrvSE.exe
            - \svchost.exe
            - \dllhost.exe
        Image|endswith: '\ImagingDevices.exe'
    selection_child:
        # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
        ParentImage|endswith: '\ImagingDevices.exe'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (((ParentProcessName endswith "\\WmiPrvSE.exe" or ParentProcessName endswith "\\svchost.exe" or ParentProcessName endswith "\\dllhost.exe") or (ActingProcessName endswith "\\WmiPrvSE.exe" or ActingProcessName endswith "\\svchost.exe" or ActingProcessName endswith "\\dllhost.exe")) and TargetProcessName endswith "\\ImagingDevices.exe") or (ParentProcessName endswith "\\ImagingDevices.exe" or ActingProcessName endswith "\\ImagingDevices.exe")

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Execution

References

• https://thedfirreport.com/2022/09/26/bumblebee-round-two/
• SigmaHQ Rule