Home
  •  

Security Monitoring Forwarded Events: A suspicious process creation (cmd) was executed

SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMD (Rule)

These events should be investigated. We are tracking 4688 events with known strings often found in malicious scripts. While it is possible that there are normal conditions for this rule, any alert should be investigated immediately.

Element properties:

TargetWindowsEventCollectorDiscovery.EventLogCollectorServer
CategoryAlert
EnabledTrue
Event_ID4688
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
Security Monitoring Forwarded Events: Common commands in known malicious scripts
Event Description: {0}
Event LogForwardedEvents

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMD" Enabled="true" Target="WindowsEventCollectorDiscovery!WindowsEventCollectorDiscovery.EventLogCollectorServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>ForwardedEvents</LogName>

      <AllowProxying>true</AllowProxying>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">4688</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <Or>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[9]</XPathQuery>

                  </ValueExpression>

                  <Operator>ContainsSubstring</Operator>

                  <Pattern>cmd.exe /c cd c:\\Progra~1&amp;for</Pattern>

                </RegExExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[9]</XPathQuery>

                  </ValueExpression>

                  <Operator>ContainsSubstring</Operator>

                  <Pattern>cmd.exe /c cd c:\\windows\\debug&amp;for</Pattern>

                </RegExExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[9]</XPathQuery>

                  </ValueExpression>

                  <Operator>ContainsSubstring</Operator>

                  <Pattern>cmd.exe /c cd C:\\WINDOWS\\Installer&amp;for</Pattern>

                </RegExExpression>

              </Expression>

            </Or>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMD.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data[Default='']/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression/>

      <Custom1/>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10>Security Monitoring</Custom10>

    </WriteAction>

  </WriteActions>

</Rule>