cscli scenarios install sigmahq/proc_creation_win_csc_susp_parent1type: trigger2name: sigmahq/proc_creation_win_csc_susp_parent3description: |4 Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\csc.exe' || evt.Parsed.OriginalFileName == 'csc.exe') && (evt.Parsed.ParentImage endsWith '\\cscript.exe' || evt.Parsed.ParentImage endsWith '\\excel.exe' || evt.Parsed.ParentImage endsWith '\\mshta.exe' || evt.Parsed.ParentImage endsWith '\\onenote.exe' || evt.Parsed.ParentImage endsWith '\\outlook.exe' || evt.Parsed.ParentImage endsWith '\\powerpnt.exe' || evt.Parsed.ParentImage endsWith '\\winword.exe' || evt.Parsed.ParentImage endsWith '\\wscript.exe' || (evt.Parsed.ParentImage endsWith '\\powershell.exe' || evt.Parsed.ParentImage endsWith '\\pwsh.exe') && (evt.Parsed.ParentCommandLine contains '-Encoded ' || evt.Parsed.ParentCommandLine contains 'FromBase64String') || evt.Parsed.ParentCommandLine matches '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$' || evt.Parsed.ParentCommandLine contains ':\\PerfLogs\\' || evt.Parsed.ParentCommandLine contains ':\\Users\\Public\\' || evt.Parsed.ParentCommandLine contains ':\\Windows\\Temp\\' || evt.Parsed.ParentCommandLine contains '\\Temporary Internet' || evt.Parsed.ParentCommandLine contains ':\\Users\\' && evt.Parsed.ParentCommandLine contains '\\Favorites\\' || evt.Parsed.ParentCommandLine contains ':\\Users\\' && evt.Parsed.ParentCommandLine contains '\\Favourites\\' || evt.Parsed.ParentCommandLine contains ':\\Users\\' && evt.Parsed.ParentCommandLine contains '\\Contacts\\' || evt.Parsed.ParentCommandLine contains ':\\Users\\' && evt.Parsed.ParentCommandLine contains '\\Pictures\\') && not (evt.Parsed.ParentImage startsWith 'C:\\Program Files (x86)\\' || evt.Parsed.ParentImage startsWith 'C:\\Program Files\\' || evt.Parsed.ParentImage == 'C:\\Windows\\System32\\sdiagnhost.exe' || evt.Parsed.ParentImage == 'C:\\Windows\\System32\\inetsrv\\w3wp.exe') && not (evt.Parsed.ParentImage == 'C:\\ProgramData\\chocolatey\\choco.exe' || evt.Parsed.ParentCommandLine contains '\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection' || evt.Parsed.ParentCommandLine contains 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw' || evt.Parsed.ParentCommandLine contains 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA' || evt.Parsed.ParentCommandLine contains 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1059.00515 - attack.t1059.00716 - attack.t1218.00517 - attack.t1027.0041819 label: "Csc.EXE Execution Form Potentially Suspicious Parent"20 behavior : "windows:audit"21 remediation: false2223scope:24 type: ParentProcessId25 expression: evt.Parsed.ParentProcessId2627