← Back to SOC feed Coverage →

Potentially Suspicious Child Process Of ClickOnce Application

sigma MEDIUM SigmaHQ
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-07T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects potentially suspicious child processes of a ClickOnce deployment application

Detection Rule

Sigma (Original)

title: Potentially Suspicious Child Process Of ClickOnce Application
id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04
status: test
description: Detects potentially suspicious child processes of a ClickOnce deployment application
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
tags:
    - attack.execution
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains: '\AppData\Local\Apps\2.0\'
        Image|endswith:
            # Add more suspicious processes
            - '\calc.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\explorer.exe'
            - '\mshta.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\nltest.exe'
            - '\notepad.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\reg.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\werfault.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName contains "\\AppData\\Local\\Apps\\2.0\\" or ActingProcessName contains "\\AppData\\Local\\Apps\\2.0\\") and (TargetProcessName endswith "\\calc.exe" or TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\explorer.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\net.exe" or TargetProcessName endswith "\\net1.exe" or TargetProcessName endswith "\\nltest.exe" or TargetProcessName endswith "\\notepad.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\reg.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\schtasks.exe" or TargetProcessName endswith "\\werfault.exe" or TargetProcessName endswith "\\wscript.exe")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml