← Back to SOC feed Coverage →

Uncommon Child Process Of BgInfo.EXE

sigma MEDIUM SigmaHQ
T1059.005T1218T1202
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-06T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects uncommon child processes of “BgInfo.exe” which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Detection Rule

Sigma (Original)

title: Uncommon Child Process Of BgInfo.EXE
id: aaf46cdc-934e-4284-b329-34aa701e3771
related:
    - id: 811f459f-9231-45d4-959a-0266c6311987
      type: similar
status: test
description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
    - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2019-10-26
modified: 2023-08-16
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\bginfo.exe'
            - '\bginfo64.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\bginfo.exe" or ParentProcessName endswith "\\bginfo64.exe") or (ActingProcessName endswith "\\bginfo.exe" or ActingProcessName endswith "\\bginfo64.exe")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml