← Back to SOC feed Coverage →

Uncommon Child Processes Of SndVol.exe

sigma MEDIUM SigmaHQ
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-20T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)

Detection Rule

Sigma (Original)

title: Uncommon Child Processes Of SndVol.exe
id: ba42babc-0666-4393-a4f7-ceaf5a69191e
status: test
description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
references:
    - https://twitter.com/Max_Mal_/status/1661322732456353792
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\SndVol.exe'
    filter_main_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: ' shell32.dll,Control_RunDLL '
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\SndVol.exe" or ActingProcessName endswith "\\SndVol.exe") and (not((TargetProcessName endswith "\\rundll32.exe" and TargetProcessCommandLine contains " shell32.dll,Control_RunDLL ")))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml