Detects a suspicious child process of Script Event Consumer (scrcons.exe).
title: Script Event Consumer Spawning Process
id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
status: test
description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
references:
- https://redcanary.com/blog/child-processes/
- https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
author: Sittikorn S
date: 2021-06-21
modified: 2022-07-14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\scrcons.exe'
Image|endswith:
- '\svchost.exe'
- '\dllhost.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\schtasks.exe'
- '\regsvr32.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\msbuild.exe'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where (ParentProcessName endswith "\\scrcons.exe" or ActingProcessName endswith "\\scrcons.exe") and (TargetProcessName endswith "\\svchost.exe" or TargetProcessName endswith "\\dllhost.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\wscript.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\schtasks.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\msiexec.exe" or TargetProcessName endswith "\\msbuild.exe")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |