Rule Documentation: Suspicious Child Processes of PDQ Deploy Runner (Windows)
Suspicious PDQ Deploy Runner Child
Query
DeviceProcessEvents
| where InitiatingProcessParentFileName contains "PDQDeployRunner"
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe", "taskkill.exe", "at.exe", "wmic.exe", "bitsadmin.exe")
Notes:
Exclude trusted processes within your networkAbout this query
Rule Documentation: Suspicious Child Processes of PDQ Deploy Runner (Windows)
Description
This detection rule identifies suspicious child processes spawned by the PDQDeployRunner.exe process. PDQ Deploy is a legitimate software deployment tool, but it can be misused by attackers to execute malicious payloads. This rule monitors for unusual child processes that may indicate malicious activity.
Detection Logic
- Monitors
DeviceProcessEventsfor child processes spawned byPDQDeployRunner.exe. - Identifies unusual or suspicious processes that are not commonly associated with legitimate PDQ Deploy activities.
Tags
- Execution
- Process Creation
- PDQ Deploy
- Suspicious Activity
Search Query
Explanation
This query is designed to detect potentially malicious activities involving the PDQDeployRunner.exe process, which is part of the PDQ Deploy software. PDQ Deploy is a legitimate tool used for software deployment, but it can be exploited by attackers to run harmful commands or scripts.
Key Points:
- Purpose: To identify suspicious child processes started by
PDQDeployRunner.exe. - Monitored Events: The query looks at
DeviceProcessEventsto find child processes initiated byPDQDeployRunner.exe. - Suspicious Processes: It flags processes that are commonly associated with malicious activities, such as
powershell.exe,cmd.exe,wscript.exe, and others listed in the query.
Query Breakdown:
- Source of Events:
DeviceProcessEventstable. - Parent Process Filter: The parent process must be
PDQDeployRunner.exe. - Child Process Filter: The child process must be one of the specified executables known for being used in attacks.
Actionable Note:
- Exclude Trusted Processes: Make sure to exclude any processes that are known to be safe within your specific network environment to reduce false positives.
This rule helps in identifying and responding to potential misuse of PDQ Deploy for executing malicious commands or scripts.
Details

Ali Hussein
Released: May 21, 2024
Tables
Keywords
Operators