cscli scenarios install sigmahq/proc_creation_win_sdiagnhost_susp_child1type: trigger2name: sigmahq/proc_creation_win_sdiagnhost_susp_child3description: |4 Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.ParentImage endsWith '\\sdiagnhost.exe' && (evt.Parsed.Image endsWith '\\powershell.exe' || evt.Parsed.Image endsWith '\\pwsh.exe' || evt.Parsed.Image endsWith '\\cmd.exe' || evt.Parsed.Image endsWith '\\mshta.exe' || evt.Parsed.Image endsWith '\\cscript.exe' || evt.Parsed.Image endsWith '\\wscript.exe' || evt.Parsed.Image endsWith '\\taskkill.exe' || evt.Parsed.Image endsWith '\\regsvr32.exe' || evt.Parsed.Image endsWith '\\rundll32.exe' || evt.Parsed.Image endsWith '\\calc.exe') && not (evt.Parsed.Image endsWith '\\cmd.exe' && evt.Parsed.CommandLine contains 'bits' || evt.Parsed.Image endsWith '\\powershell.exe' && (evt.Parsed.CommandLine endsWith '-noprofile -' || evt.Parsed.CommandLine endsWith '-noprofile')))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t103615 - attack.t12181617 label: "Sdiagnhost Calling Suspicious Child Process"18 behavior : "windows:audit"19 remediation: false2021scope:22 type: ParentProcessId23 expression: evt.Parsed.ParentProcessId2425