A trusted/signed developer utility (parent) is executed in a non-developer context and (a) spawns suspicious children (e.g., powershell.exe, cmd.exe, rundll32.exe, regsvr32.exe, wscript.exe), (b) loads unsigned/user-writable DLLs, (c) writes and then runs a new PE from user-writable paths, and/or (d) immediately makes outbound network connections.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3, 22 |
| Process Metadata (DC0034) | WinEventLog:AppLocker | AppLocker audit/blocks showing developer utilities executing scripts/binaries outside policy |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between developer utility execution, payload write, and network egress (e.g., 0–30 minutes). |
| AllowedUtilitiesList | Org-specific list of dev utilities legitimately used on build/dev hosts to suppress noise. |
| DeveloperHosts | List of known developer/build systems where these tools are expected; raise severity off-host. |
| SuspiciousChildList | Child processes considered high-risk when spawned by dev utilities (powershell.exe, rundll32.exe, regsvr32.exe, cmd.exe, wscript.exe, mshta.exe). |
| RarePathRegex | Regex of user-writable or atypical paths (e.g., %TEMP%, %APPDATA%, recycle bin, public profile) for payload drops. |
| UnsignedOrInvalidSignatureOnly | Toggle to alert only when child/payload is unsigned or signature invalid to reduce noise. |
| ParentProcessAllowList | Known orchestrators (e.g., CI/CD agents) that often run these utilities legitimately. |
| NetworkReputationThreshold | Heuristic for rare/unknown destination (no DNS reputation, new domain, geo outside region). |