← Back to SOC feed Coverage →

Potentially Suspicious Execution From Parent Process In Public Folder

sigma HIGH SigmaHQ
T1564T1059
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-21T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects a potentially suspicious execution of a parent process located in the “\Users\Public” folder executing a child process containing references to shell or scripting binaries and commandlines.

Detection Rule

Sigma (Original)

title: Potentially Suspicious Execution From Parent Process In Public Folder
id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a
status: test
description: |
    Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
references:
    - https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-25
modified: 2024-07-12
tags:
    - attack.execution
    - attack.stealth
    - attack.t1564
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains: ':\Users\Public\'
    selection_child:
        - Image|endswith:
              - '\bitsadmin.exe'
              - '\certutil.exe'
              - '\cmd.exe'
              - '\cscript.exe'
              - '\mshta.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        - CommandLine|contains:
              - 'bitsadmin'
              - 'certutil'
              - 'cscript'
              - 'mshta'
              - 'powershell'
              - 'regsvr32'
              - 'rundll32'
              - 'wscript'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName contains ":\\Users\\Public\\" or ActingProcessName contains ":\\Users\\Public\\") and ((TargetProcessName endswith "\\bitsadmin.exe" or TargetProcessName endswith "\\certutil.exe" or TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\wscript.exe") or (TargetProcessCommandLine contains "bitsadmin" or TargetProcessCommandLine contains "certutil" or TargetProcessCommandLine contains "cscript" or TargetProcessCommandLine contains "mshta" or TargetProcessCommandLine contains "powershell" or TargetProcessCommandLine contains "regsvr32" or TargetProcessCommandLine contains "rundll32" or TargetProcessCommandLine contains "wscript"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml