← Back to SOC feed Coverage →

Suspicious Process Parents

sigma HIGH SigmaHQ
T1036
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-21T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects suspicious parent processes that should not have any children or should only have a single possible child program

Detection Rule

Sigma (Original)

title: Suspicious Process Parents
id: cbec226f-63d9-4eca-9f52-dfb6652f24df
status: test
description: Detects suspicious parent processes that should not have any children or should only have a single possible child program
references:
    - https://twitter.com/x86matthew/status/1505476263464607744?s=12
    - https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
author: Florian Roth (Nextron Systems)
date: 2022-03-21
modified: 2022-09-08
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\minesweeper.exe'
            - '\winver.exe'
            - '\bitsadmin.exe'
    selection_special:
        ParentImage|endswith:
            - '\csrss.exe'
            - '\certutil.exe'
         # - '\schtasks.exe'
            - '\eventvwr.exe'
            - '\calc.exe'
            - '\notepad.exe'
    filter_special:
        Image|endswith:
            - '\WerFault.exe'
            - '\wermgr.exe'
            - '\conhost.exe' # csrss.exe, certutil.exe
            - '\mmc.exe'     # eventvwr.exe
            - '\win32calc.exe' # calc.exe
            - '\notepad.exe'
    filter_null:
        Image: null
    condition: selection or ( selection_special and not 1 of filter_* )
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\minesweeper.exe" or ParentProcessName endswith "\\winver.exe" or ParentProcessName endswith "\\bitsadmin.exe") or (ActingProcessName endswith "\\minesweeper.exe" or ActingProcessName endswith "\\winver.exe" or ActingProcessName endswith "\\bitsadmin.exe")) or (((ParentProcessName endswith "\\csrss.exe" or ParentProcessName endswith "\\certutil.exe" or ParentProcessName endswith "\\eventvwr.exe" or ParentProcessName endswith "\\calc.exe" or ParentProcessName endswith "\\notepad.exe") or (ActingProcessName endswith "\\csrss.exe" or ActingProcessName endswith "\\certutil.exe" or ActingProcessName endswith "\\eventvwr.exe" or ActingProcessName endswith "\\calc.exe" or ActingProcessName endswith "\\notepad.exe")) and (not(((TargetProcessName endswith "\\WerFault.exe" or TargetProcessName endswith "\\wermgr.exe" or TargetProcessName endswith "\\conhost.exe" or TargetProcessName endswith "\\mmc.exe" or TargetProcessName endswith "\\win32calc.exe" or TargetProcessName endswith "\\notepad.exe") or isnull(TargetProcessName)))))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml