Suspicious Sysmon as Execution Parent

Rule Info

Id
6d1058a4-407e-4f3a-a144-1968c11dc5c3
Author
Florian Roth
Name
Suspicious Sysmon as Execution Parent
Tags
DEMO
Date
2022-11-10 00:00:00
Modified
None
Description
Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
Type
Community Rule

Rule History

Author
Date
Commit
Title
Florian Roth
2022-11-10
fix: FPs
Florian Roth
2022-11-10
docs: update description and tags
Florian Roth
2022-11-10
rule: Sysmon as parent