← Back to SOC feed Coverage →

Suspicious Child Process Of BgInfo.EXE

sigma HIGH SigmaHQ
T1059.005T1218T1202
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-06T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious child processes of “BgInfo.exe” which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Detection Rule

Sigma (Original)

title: Suspicious Child Process Of BgInfo.EXE
id: 811f459f-9231-45d4-959a-0266c6311987
related:
    - id: aaf46cdc-934e-4284-b329-34aa701e3771
      type: similar
status: test
description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
    - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\bginfo.exe'
            - '\bginfo64.exe'
    selection_child:
        - Image|endswith:
              - '\calc.exe'
              - '\cmd.exe'
              - '\cscript.exe'
              - '\mshta.exe'
              - '\notepad.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wscript.exe'
        - Image|contains:
              - '\AppData\Local\'
              - '\AppData\Roaming\'
              - ':\Users\Public\'
              - ':\Temp\'
              - ':\Windows\Temp\'
              - ':\PerfLogs\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\bginfo.exe" or ParentProcessName endswith "\\bginfo64.exe") or (ActingProcessName endswith "\\bginfo.exe" or ActingProcessName endswith "\\bginfo64.exe")) and ((TargetProcessName endswith "\\calc.exe" or TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\notepad.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\wscript.exe") or (TargetProcessName contains "\\AppData\\Local\\" or TargetProcessName contains "\\AppData\\Roaming\\" or TargetProcessName contains ":\\Users\\Public\\" or TargetProcessName contains ":\\Temp\\" or TargetProcessName contains ":\\Windows\\Temp\\" or TargetProcessName contains ":\\PerfLogs\\"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml