Potentially Suspicious Event Viewer Child Process

About the rule

Rule Type

Standard

Rule Description

eventvwr.exe is a legitimate Windows system utility used to launch the Event Viewer, which allows users and administrators to review system logs. Attackers may abuse eventvwr.exe to execute a secondary, unauthorized process bypassing security controls since eventvwr.exe is a trusted, signed binary. This rule detects instances where eventvwr.exe spawns an unusual or suspicious child process (such as cmd.exe, powershell.exe, mshta.exe, or other binaries not typical for standard Event Viewer operations), which may indicate lateral movement, privilege escalation, or attempts at defense evasion.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Phishing → Execution → Abuse of eventvwr.exe → Suspicious child process creation → Impact

Impact

• Defense evasion
• Unauthorized command execution
• Lateral movement
• Malware execution
• Privilege escalation

Rule Requirement

Prerequisites

Use the Group Policy Management Console to audit process creation and process termination.

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.

Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Abuse Elevation Control Mechanism - Bypass User Account Control (T1548.002), Privilege Escalation: Abuse Elevation Control Mechanism - Bypass User Account Control (T1548.002)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

When this rule is triggered, you’re notified of anomalous use of eventvwr.exe spawning a potentially malicious or unauthorized child process. This enables you to review parent-child process relationships, analyze command-line arguments, and promptly identify suspicious technique use involving trusted Windows utilities

PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected.

This rule allows you to detect the tampering of data within sensitive files, which helps you comply with this Subcategory.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

This rule may trigger if legitimate administrative scripts or IT management tools leverage eventvwr.exe with approved child processes as part of standard IT workflows. Always verify command-line arguments, parent processes, and user context before escalating.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Reconfiguration: Update allowlists to include legitimate tool usages, refine detection rules for better accuracy, and continue monitoring for similar suspicious patterns.

Mitigation