Suspicious Sysmon as Execution Parent

    Wednesday, July 9, 2025 In: Threat Research Print

    Date: 07/09/2025

    Severity: High

    Summary

    Detects unusual process activity where Sysmon is observed as the parent process—behavior that may indicate exploitation attempts, such as those associated with CVE-2022-41120.

    Indicators of Compromise (IOC) List 

    Processname

    'C:\Users\'

    '\AppData\Local\Temp\'

    '\Sysmon.exe'

    '\Sysmon64.exe'

    ':\Windows\Sysmon.exe'

    ':\Windows\Sysmon64.exe'

    ':\Windows\System32\conhost.exe'

    ':\Windows\System32\WerFault.exe' # When Sysmon crashes

    ':\Windows\System32\WerFaultSecure.exe' # When Sysmon crashes

    ':\Windows\System32\wevtutil.exe'

    ':\Windows\SysWOW64\wevtutil.exe'

    null

    Parentprocessname

    '\Sysmon.exe'

    '\Sysmon64.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    ((resourcename = "Windows Security"  AND eventtype = "4688") AND (parentprocessname like "Sysmon.exe" OR parentprocessname like "Sysmon64.exe") AND (processname not like "C:\Users" AND processname not like "\AppData\Local\Temp") AND (processname not like "\Sysmon.exe" OR processname not like "\Sysmon64.exe") AND (processname not like ":\Windows\Sysmon.exe" AND processname not like ":\Windows\Sysmon64.exe" AND processname not like ":\Windows\System32\conhost.exe" AND processname not like ":\Windows\System32\WerFault.exe" AND processname not like ":\Windows\System32\WerFaultSecure.exe" AND processname not like ":\Windows\System32\wevtutil.exe" AND processname not like ":\Windows\SysWOW64\wevtutil.exe") AND processname not like "null")

    Detection Query 2 : 

    ((technologygroup = "EDR") AND (parentprocessname like "Sysmon.exe" OR parentprocessname like "Sysmon64.exe") AND (processname not like "C:\Users" AND processname not like "\AppData\Local\Temp") AND (processname not like "\Sysmon.exe" OR processname not like "\Sysmon64.exe") AND (processname not like ":\Windows\Sysmon.exe" AND processname not like ":\Windows\Sysmon64.exe" AND processname not like ":\Windows\System32\conhost.exe" AND processname not like ":\Windows\System32\WerFault.exe" AND processname not like ":\Windows\System32\WerFaultSecure.exe" AND processname not like ":\Windows\System32\wevtutil.exe" AND processname not like ":\Windows\SysWOW64\wevtutil.exe") AND processname not like "null")

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml


    Tags

    SigmaVulnerabilityCVE-2022Exploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.