cscli scenarios install sigmahq/proc_creation_win_susp_abusing_debug_privilege1type: trigger2name: sigmahq/proc_creation_win_susp_abusing_debug_privilege3description: |4 Detection of unusual child processes by different system processes5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.ParentImage endsWith '\\winlogon.exe' || evt.Parsed.ParentImage endsWith '\\services.exe' || evt.Parsed.ParentImage endsWith '\\lsass.exe' || evt.Parsed.ParentImage endsWith '\\csrss.exe' || evt.Parsed.ParentImage endsWith '\\smss.exe' || evt.Parsed.ParentImage endsWith '\\wininit.exe' || evt.Parsed.ParentImage endsWith '\\spoolsv.exe' || evt.Parsed.ParentImage endsWith '\\searchindexer.exe') && (evt.Parsed.User contains 'AUTHORI' || evt.Parsed.User contains 'AUTORI') && (evt.Parsed.Image endsWith '\\powershell.exe' || evt.Parsed.Image endsWith '\\pwsh.exe' || evt.Parsed.Image endsWith '\\cmd.exe' || evt.Parsed.OriginalFileName in ['PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe']) && not (evt.Parsed.CommandLine contains ' route ' && evt.Parsed.CommandLine contains ' ADD '))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t15481516 label: "Abused Debug Privilege by Arbitrary Parent Processes"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324