Security Monitoring Forwarded Events: A suspicious process creation (cmd) was executed
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMD (Rule)
These events should be investigated. We are tracking 4688 events with known strings often found in malicious scripts. While it is possible that there are normal conditions for this rule, any alert should be investigated immediately.
Element properties: Member Modules:
Source Code: <Rule ID="SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMD" Enabled="true" Target="WindowsEventCollectorDiscovery!WindowsEventCollectorDiscovery.EventLogCollectorServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Alert</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>ForwardedEvents</LogName>
<AllowProxying>true</AllowProxying>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">4688</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[9]</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>cmd.exe /c cd c:\\Progra~1&for</Pattern>
</RegExExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[9]</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>cmd.exe /c cd c:\\windows\\debug&for</Pattern>
</RegExExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[9]</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>cmd.exe /c cd C:\\WINDOWS\\Installer&for</Pattern>
</RegExExpression>
</Expression>
</Or>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMD.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data[Default='']/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression/>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10>Security Monitoring</Custom10>
</WriteAction>
</WriteActions>
</Rule>