Potentially Suspicious Execution From Parent Process In Public Folder (69bd9b97-2be2-41b6-9816-fb08757a4d1a)

Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Potentially Suspicious Execution From Parent Process In Public Folder (69bd9b97-2be2-41b6-9816-fb08757a4d1a)	Sigma-Rules	1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Potentially Suspicious Execution From Parent Process In Public Folder (69bd9b97-2be2-41b6-9816-fb08757a4d1a)	Sigma-Rules	1