Detects suspicious parent process for cmd.exe
title: Unusual Parent Process For Cmd.EXE
id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b
status: test
description: Detects suspicious parent process for cmd.exe
references:
- https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-21
modified: 2023-12-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
ParentImage|endswith:
- '\csrss.exe'
- '\ctfmon.exe'
- '\dllhost.exe'
- '\epad.exe'
- '\FlashPlayerUpdateService.exe'
- '\GoogleUpdate.exe'
- '\jucheck.exe'
- '\jusched.exe'
- '\LogonUI.exe'
- '\lsass.exe'
- '\regsvr32.exe'
- '\SearchIndexer.exe'
- '\SearchProtocolHost.exe'
- '\SIHClient.exe'
- '\sihost.exe'
- '\slui.exe'
- '\spoolsv.exe'
- '\sppsvc.exe'
- '\taskhostw.exe'
- '\unsecapp.exe'
- '\WerFault.exe'
- '\wermgr.exe'
- '\wlanext.exe'
- '\WUDFHost.exe'
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessName endswith "\\cmd.exe" and ((ParentProcessName endswith "\\csrss.exe" or ParentProcessName endswith "\\ctfmon.exe" or ParentProcessName endswith "\\dllhost.exe" or ParentProcessName endswith "\\epad.exe" or ParentProcessName endswith "\\FlashPlayerUpdateService.exe" or ParentProcessName endswith "\\GoogleUpdate.exe" or ParentProcessName endswith "\\jucheck.exe" or ParentProcessName endswith "\\jusched.exe" or ParentProcessName endswith "\\LogonUI.exe" or ParentProcessName endswith "\\lsass.exe" or ParentProcessName endswith "\\regsvr32.exe" or ParentProcessName endswith "\\SearchIndexer.exe" or ParentProcessName endswith "\\SearchProtocolHost.exe" or ParentProcessName endswith "\\SIHClient.exe" or ParentProcessName endswith "\\sihost.exe" or ParentProcessName endswith "\\slui.exe" or ParentProcessName endswith "\\spoolsv.exe" or ParentProcessName endswith "\\sppsvc.exe" or ParentProcessName endswith "\\taskhostw.exe" or ParentProcessName endswith "\\unsecapp.exe" or ParentProcessName endswith "\\WerFault.exe" or ParentProcessName endswith "\\wermgr.exe" or ParentProcessName endswith "\\wlanext.exe" or ParentProcessName endswith "\\WUDFHost.exe") or (ActingProcessName endswith "\\csrss.exe" or ActingProcessName endswith "\\ctfmon.exe" or ActingProcessName endswith "\\dllhost.exe" or ActingProcessName endswith "\\epad.exe" or ActingProcessName endswith "\\FlashPlayerUpdateService.exe" or ActingProcessName endswith "\\GoogleUpdate.exe" or ActingProcessName endswith "\\jucheck.exe" or ActingProcessName endswith "\\jusched.exe" or ActingProcessName endswith "\\LogonUI.exe" or ActingProcessName endswith "\\lsass.exe" or ActingProcessName endswith "\\regsvr32.exe" or ActingProcessName endswith "\\SearchIndexer.exe" or ActingProcessName endswith "\\SearchProtocolHost.exe" or ActingProcessName endswith "\\SIHClient.exe" or ActingProcessName endswith "\\sihost.exe" or ActingProcessName endswith "\\slui.exe" or ActingProcessName endswith "\\spoolsv.exe" or ActingProcessName endswith "\\sppsvc.exe" or ActingProcessName endswith "\\taskhostw.exe" or ActingProcessName endswith "\\unsecapp.exe" or ActingProcessName endswith "\\WerFault.exe" or ActingProcessName endswith "\\wermgr.exe" or ActingProcessName endswith "\\wlanext.exe" or ActingProcessName endswith "\\WUDFHost.exe"))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |