The hypothesis is that an adversary may be establishing persistence or executing malicious payloads by creating new processes. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential initial access or lateral movement tactics that may evade traditional detection methods.
YARA Rule
rule create_process {
meta:
author = "x0r"
description = "Create a new process"
version = "0.2"
strings:
$f1 = "Shell32.dll" nocase
$f2 = "Kernel32.dll" nocase
$c1 = "ShellExecute"
$c2 = "WinExec"
$c3 = "CreateProcess"
$c4 = "CreateThread"
condition:
($f1 and $c1 ) or $f2 and ($c2 or $c3 or $c4)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: A system administrator is using Task Scheduler to run a maintenance script at scheduled intervals.
Filter/Exclusion: Exclude processes with Image containing schtasks.exe or TaskScheduler in the command line.
Scenario: A developer is using PowerShell to launch a debugging session with Start-Process.
Filter/Exclusion: Exclude processes where the CommandLine includes powershell.exe and contains -Command or -File with known development scripts.
Scenario: A database administrator is using SQL Server Agent to execute a backup job.
Filter/Exclusion: Exclude processes with Image containing sqlagent.exe or sqlservr.exe and where the command line includes backup or restore.
Scenario: A user is launching a legitimate application via Remote Desktop Services (RDS).
Filter/Exclusion: Exclude processes where the ParentProcessName is rdpclip.exe or mstsc.exe, and the Image is a known application like notepad.exe or explorer.exe.
Scenario: A system update is being applied via Windows Update using wuauclt.exe.
Filter/Exclusion: Exclude processes with Image containing wuauclt.exe or wuauserv.exe and where the command line includes detectnow or update.