← Back to SOC feed Coverage →

Windows Processes Suspicious Parent Directory

sigma LOW SigmaHQ
T1036.003T1036.005
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-22T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detect suspicious parent processes of well-known Windows processes

Detection Rule

Sigma (Original)

title: Windows Processes Suspicious Parent Directory
id: 96036718-71cc-4027-a538-d1587e0006a7
status: test
description: Detect suspicious parent processes of well-known Windows processes
references:
    - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
    - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
    - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
author: vburov
date: 2019-02-23
modified: 2025-03-06
tags:
    - attack.stealth
    - attack.t1036.003
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\svchost.exe'
            - '\taskhost.exe'
            - '\lsm.exe'
            - '\lsass.exe'
            - '\services.exe'
            - '\lsaiso.exe'
            - '\csrss.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
    filter_sys:
        - ParentImage|endswith:
              - '\SavService.exe'
              - '\ngen.exe'
        - ParentImage|contains:
              - '\System32\'
              - '\SysWOW64\'
    filter_msmpeng:
        ParentImage|contains:
            - '\Windows Defender\'
            - '\Microsoft Security Client\'
        ParentImage|endswith: '\MsMpEng.exe'
    filter_null:
        - ParentImage: null
        - ParentImage:
              - ''
              - '-'
    condition: selection and not 1 of filter_*
falsepositives:
    - Some security products seem to spawn these
level: low

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "\\svchost.exe" or TargetProcessName endswith "\\taskhost.exe" or TargetProcessName endswith "\\lsm.exe" or TargetProcessName endswith "\\lsass.exe" or TargetProcessName endswith "\\services.exe" or TargetProcessName endswith "\\lsaiso.exe" or TargetProcessName endswith "\\csrss.exe" or TargetProcessName endswith "\\wininit.exe" or TargetProcessName endswith "\\winlogon.exe") and (not(((((ParentProcessName endswith "\\SavService.exe" or ParentProcessName endswith "\\ngen.exe") or (ActingProcessName endswith "\\SavService.exe" or ActingProcessName endswith "\\ngen.exe")) or ((ParentProcessName contains "\\System32\\" or ParentProcessName contains "\\SysWOW64\\") or (ActingProcessName contains "\\System32\\" or ActingProcessName contains "\\SysWOW64\\"))) or (((ParentProcessName contains "\\Windows Defender\\" or ParentProcessName contains "\\Microsoft Security Client\\") or (ActingProcessName contains "\\Windows Defender\\" or ActingProcessName contains "\\Microsoft Security Client\\")) and (ParentProcessName endswith "\\MsMpEng.exe" or ActingProcessName endswith "\\MsMpEng.exe")) or ((isnull(ParentProcessName) or isnull(ActingProcessName)) or ((ParentProcessName in~ ("", "-")) or (ActingProcessName in~ ("", "-")))))))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml