Detection rules › Splunk
Parent in Public Folder Suspicious Process (Windows Event Log)
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. This use case detects suspicious processes with a parent process in the Users\Public directory.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
| Stealth | T1564 Hide Artifacts |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '30578.54661'
title: Parent in Public Folder Suspicious Process
description: Adversaries may attempt to hide artifacts associated with their behaviors
to evade detection. Adversaries may abuse command and script interpreters to execute
commands, scripts, or binaries. This use case detects suspicious processes with
a parent process in the Users\Public directory.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
"<EventID>4688<" OR Type=Process) "\\Users\\Public" ("powershell" OR "pwsh" OR "wscript.exe"
OR "cscript.exe" OR "bitsadmin" OR "certutil" OR "mshta.exe") OR ("cmd.exe" (" /c
" OR " /r " OR " /k " )) | regex parent_process_path="^C:\x5cUsers\x5cPublic"| table
_time, host, user, parent_process_name, parent_process_path, process_name, process_path,
process | bin span=1s | stats values(*) as * by _time, host '
techniques:
- execution:command and scripting interpreter
- defense-evasion:hide artifacts
technique_id:
- T1059
- T1564
data_category:
- Process command-line parameters
- Windows event logs
references:
- https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent/
- https://attack.mitre.org/techniques/T1564/
- https://attack.mitre.org/techniques/T1059/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process) "\\Users\\Public" ("powershell" OR "pwsh" OR "wscript.exe" OR "cscript.exe" OR "bitsadmin" OR "certutil" OR "mshta.exe") OR ("cmd.exe" (" /c " OR " /r " OR " /k " ))
Stage 2: regex
| regex parent_process_path="^C:\x5cUsers\x5cPublic"
Stage 3: table
| table _time, host, user, parent_process_name, parent_process_path, process_name, process_path, process
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
parent_process_path | regex_match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | "\\Users\\Public" |
| 1 | "powershell" |
| 1 | "pwsh" |
| 1 | "wscript.exe" |
| 1 | "cscript.exe" |
| 1 | "bitsadmin" |
| 1 | "certutil" |
| 1 | "mshta.exe" |
| 1 | "cmd.exe" |
| 1 | " /c " |
| 1 | " /r " |
| 1 | " /k " |