Suspicious Sysmon as Execution Parent

Rule Info

Name

Suspicious Sysmon as Execution Parent

Author

Florian Roth (Nextron Systems), Tim Shelton (fp werfault)

Description

Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)

Reference

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120

Date

2022-11-10 00:00:00

Modified

2023-10-23 00:00:00

6d1058a4-407e-4f3a-a144-1968c11dc5c3

Rule History

Author

Title

Date

Commit

Nasreddine Bencherchali

Merge PR #4503 from @nasbench - Multiple Updates & Fixes

2023-10-28

52e39113b

phantinuss

Merge PR #4490 From @phantinuss - Fix FP Found In Testing

2023-10-18

f91066f09

Nasreddine Bencherchali

Merge PR #4482 From @nasbench - Add New Automation Workflows

2023-10-18

95793d73b

Florian Roth

Merge PR #4443 from @Neo23x0 - Fix Null Edge Case & Add New String

2023-09-13

d68f19a88

Tessa Georgen

fix: typo in tags field (#4383)

2023-08-18

e3628f0b7

frack113

Update tags

2023-06-20

8c5dba374

Nasreddine Bencherchali

chore: move rules to new folders (#4205)

2023-05-02

637d61088

Nasreddine Bencherchali

fix: remove duplicate uuid

2023-04-12

4f4a9356c

Nasreddine Bencherchali

feat: updates and enhancements

2023-02-14

27aac9763

Nasreddine Bencherchali

chore: add nextron authors tag

2023-02-01

7c38a5c49

zydyka

Update proc_creation_win_sysmon_exploitation.yml

2022-12-30

d7bc30587

Tim Shelton

FP when sysmon crashes and werfault gets launched

2022-12-29

aeab567fb

Nasreddine Bencherchali

feat: updates and enhancements

2022-12-16

3868dd91c

Florian Roth

fix: FPs

2022-12-04

6390915eb

Florian Roth

fix: FPs

2022-11-10

327829255