Detection rules › Splunk
Parent in Public Folder Suspicious Process (Sysmon)
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. This use case detects suspicious processes with a parent process in the Users\Public directory.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
| Stealth | T1564 Hide Artifacts |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '30578.54662'
title: Parent in Public Folder Suspicious Process
description: Adversaries may attempt to hide artifacts associated with their behaviors
to evade detection. Adversaries may abuse command and script interpreters to execute
commands, scripts, or binaries. This use case detects suspicious processes with
a parent process in the Users\Public directory.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<")
"\\Users\\Public" ("powershell" OR "pwsh" OR "wscript.exe" OR "cscript.exe" OR "bitsadmin"
OR "certutil" OR "mshta.exe") OR ("cmd.exe" (" /c " OR " /r " OR " /k " )) | regex
parent_process_path="^C:\x5cUsers\x5cPublic" | table _time, host, user, parent_process_name,
parent_process_path, process_name, process_path, process | bin span=1s | stats values(*)
as * by _time, host '
techniques:
- execution:command and scripting interpreter
- defense-evasion:hide artifacts
technique_id:
- T1059
- T1564
data_category:
- Windows Sysmon
references:
- https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent/
- https://attack.mitre.org/techniques/T1564/
- https://attack.mitre.org/techniques/T1059/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<") "\\Users\\Public" ("powershell" OR "pwsh" OR "wscript.exe" OR "cscript.exe" OR "bitsadmin" OR "certutil" OR "mshta.exe") OR ("cmd.exe" (" /c " OR " /r " OR " /k " ))
Stage 2: regex
| regex parent_process_path="^C:\x5cUsers\x5cPublic"
Stage 3: table
| table _time, host, user, parent_process_name, parent_process_path, process_name, process_path, process
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
parent_process_path | regex_match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1<" |
| 1 | "\\Users\\Public" |
| 1 | "powershell" |
| 1 | "pwsh" |
| 1 | "wscript.exe" |
| 1 | "cscript.exe" |
| 1 | "bitsadmin" |
| 1 | "certutil" |
| 1 | "mshta.exe" |
| 1 | "cmd.exe" |
| 1 | " /c " |
| 1 | " /r " |
| 1 | " /k " |