SIEM × Platform · Splunk · Windows Sysmon

Splunk detections for Windows Sysmon

Last reviewed:

Sigma rule outputs from CloudSigma rendered into Splunk queries against the Windows Sysmon schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
5
Production rules
5
ATT&CK techniques
4
ATT&CK tactics
Splunk
Output dialect
02 Rule index
Technique Rule Severity Log source
T1059 Command and Scripting Interpreter on Windows Sysmon medium Windows Sysmon
T1068 Exploitation for Privilege Escalation on Windows Sysmon medium Windows Sysmon
T1078 Valid Accounts on Windows Sysmon medium Windows Sysmon
T1098 Account Manipulation on Windows Sysmon medium Windows Sysmon
T1548 Abuse Elevation Control Mechanism on Windows Sysmon medium Windows Sysmon
03 Example rule

Windows Command Interpreter Spawned by Web or Scripting Runtime, generated by CloudSigma and validated against the Splunk dialect.

L1 · production verified 2026-06-06 · sha256:ccf55b6cf86caaa5 Verify in CloudSigma →
Sigma rule · CloudSigma Splunk · Windows Sysmon · 2026-04-24 
title: Windows Command Interpreter Spawned by Web or Scripting Runtime
id: e95ab3af-fd83-4438-ad41-47eaa0f90998
status: test
description: >
    Detects a Windows command interpreter (cmd.exe, powershell.exe,
    cscript.exe, wscript.exe) being spawned as a child of a web or
    scripting runtime that is commonly seen in webshell and
    download-cradle activity (curl.exe, wget.exe, php.exe,
    perl.exe, ruby.exe, python.exe). Earlier versions of this rule
    OR-ed in a broad CommandLine match (*cmd /c*, *powershell -c*)
    that fired on essentially every legitimate Windows scripted
    command — that branch is removed here. java.exe, node.exe and
    npm.exe are also dropped from the parent list because build
    tooling on developer hosts spawns cmd.exe routinely.
author: CloudSigma
date: 2026-04-24
references:
    - https://attack.mitre.org/techniques/T1059/
    - https://attack.mitre.org/techniques/T1505/003/
tags:
    - attack.execution
    - attack.t1059
logsource:
    product: windows
    service: sysmon
detection:
    selection_cmd_spawn:
        EventID: 1
        Image|endswith:
            - \cmd.exe
            - \powershell.exe
            - \cscript.exe
            - \wscript.exe
    selection_suspicious_parents:
        ParentImage|endswith:
            - \curl.exe
            - \wget.exe
            - \perl.exe
            - \ruby.exe
            - \php.exe
            - \python.exe
            - \w3wp.exe
            - \httpd.exe
    filter_legitimate_system:
        User|contains:
            - SYSTEM
            - LOCAL SERVICE
            - NETWORK SERVICE
    condition: selection_cmd_spawn and selection_suspicious_parents and not filter_legitimate_system
falsepositives:
    - Python or curl-based deployment automation on jump hosts that intentionally invokes PowerShell
    - Legitimate ETL or backup scripts running under a service account that wraps a PowerShell pipeline
    - Webserver process (w3wp, httpd) launching a child shell as part of a documented administrative workflow
fields:
    - Image
    - ParentImage
    - CommandLine
    - User
    - Computer
level: high
← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • Splunk documentation, https://docs.splunk.com/
Last verified: 2026-06-06