Phase 2·T1059.001·Moderate
Suspicious Parent/Child Process Relationships
Detect anomalous lineage like services.exe → powershell.exe or w3wp.exe → powershell.exe.
#Sysmon#Behavioral
Detection Objective
Surface PowerShell with unusual parents (web servers, services host, lsass).
Real-World Attack Scenario
Webshell on IIS spawns PowerShell as the app pool identity.
Why This Detection Matters
Catches living-off-the-land that bypasses content rules.
ATT&CK Mapping
T1059.001 · PowerShell
Tactic: Execution
Required Telemetry
- SysmonEID 1
Windows Event IDs
—
Sysmon Event IDs
1
Wazuh Log Source
Sysmon/Operational
Setup Steps
- Sysmon EID 1 with parent fields.
Safe Validation Command
Use psexec or runas to fake an unusual parent in a lab VM only.
PsExec.exe -accepteula -i -s powershell.exe -c "Write-Host detection-test"⚠ lab use only · this project does not execute real malware
Expected Log Output
Sysmon EID 1
ParentImage: ...\services.exe
Image: ...\powershell.exeDetection Logic (Wazuh rule concept)
Image matches powershell|pwsh AND ParentImage in {w3wp.exe, sqlservr.exe, services.exe, spoolsv.exe, mshta.exe, wmiprvse.exe}False Positives
- Legitimate IIS management scripts
Tuning Recommendations
- Per-host allowlists for known admins.
Analyst Triage Notes
- Pull the IIS / app context and recent file writes.
Detection Improvement Ideas
- Add baseline of normal parents per host.
log analysis layer
Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.
siem · log evidence
rule 100667
Suspicious Parent/Child Process Relationships
Sysmon/Operational
Event ID
Sysmon EID 1
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Windows\explorer.exe
CommandLine
PsExec.exe -accepteula -i -s powershell.exe -c "Write-Host detection-test"
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Pull the IIS / app context and recent file writes.
Parent → Child Analysis
explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.
Command-Line Flags Observed
- (no high-risk flags in this test)Signal value comes from context (parent, network, persistence) rather than flags.
Parsed Fields the Analyst Reads
- Image — Process binary that executed — confirms PowerShell.C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- ParentImage — Who launched it — context for legitimacy.C:\Windows\explorer.exe
- CommandLine — Arguments — where attacker intent shows up.PsExec.exe -accepteula -i -s powershell.exe -c "Write-Host detection-test"
- User — Account context — service vs interactive vs SYSTEM.CORP\j.doe
- EventID — Telemetry channel and event type.Sysmon EID 1
- Wazuh Rule ID — Rule that matched and produced this alert.100667
- Agent — Endpoint that produced the telemetry.WIN10-LAB-01
- Timestamp — When it happened — anchor for correlation.2026-05-26T14:32:11Z
Malicious Pattern
pattern
Suspicious Parent/Child Process Relationships
description
Webshell on IIS spawns PowerShell as the app pool identity.
analyst takeaway
Catches living-off-the-land that bypasses content rules. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.
proof the detection worked
test command
PsExec.exe -accepteula -i -s powershell.exe -c "Write-Host detection-test"expected event
Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100667 — "Suspicious Parent/Child Process Relationships" fires at a level matching severity=medium.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.