← Back to SOC feed Coverage →

Sdiagnhost Calling Suspicious Child Process

sigma HIGH SigmaHQ
T1036T1218
imProcessCreate
exploit
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-19T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)

Detection Rule

Sigma (Original)

title: Sdiagnhost Calling Suspicious Child Process
id: f3d39c45-de1a-4486-a687-ab126124f744
status: test
description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
references:
    - https://twitter.com/nao_sec/status/1530196847679401984
    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
    - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
    - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
author: Nextron Systems, @Kostastsale
date: 2022-06-01
modified: 2024-08-23
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sdiagnhost.exe'
        Image|endswith:
            # Add more suspicious LOLBins
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
            - '\mshta.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\taskkill.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            # - '\csc.exe'   # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
            - '\calc.exe'  # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
    filter_main_cmd_bits:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'bits'
    filter_main_powershell_noprofile:
        Image|endswith: '\powershell.exe'
        CommandLine|endswith:
            - '-noprofile -'
            - '-noprofile'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\sdiagnhost.exe" or ActingProcessName endswith "\\sdiagnhost.exe") and (TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\wscript.exe" or TargetProcessName endswith "\\taskkill.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\calc.exe")) and (not(((TargetProcessName endswith "\\cmd.exe" and TargetProcessCommandLine contains "bits") or (TargetProcessName endswith "\\powershell.exe" and (TargetProcessCommandLine endswith "-noprofile -" or TargetProcessCommandLine endswith "-noprofile")))))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml