Suspicious Communication App Child Process

Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/08/04"
  3integration = ["endpoint", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/08/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the
 11communication app or the exploitation of a vulnerability on the application causing it to execute code.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious Communication App Child Process"
 18risk_score = 47
 19rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880"
 20severity = "medium"
 21tags = [
 22    "Domain: Endpoint",
 23    "OS: Windows",
 24    "Use Case: Threat Detection",
 25    "Tactic: Defense Evasion",
 26    "Tactic: Persistence",
 27    "Data Source: Elastic Defend",
 28    "Resources: Investigation Guide",
 29    "Data Source: SentinelOne",
 30    "Data Source: Elastic Endgame",
 31]
 32timestamp_override = "event.ingested"
 33type = "eql"
 34
 35query = '''
 36process where host.os.type == "windows" and event.type == "start" and 
 37 not process.executable : 
 38             ("?:\\Program Files\\*.exe", 
 39              "?:\\Program Files (x86)\\*.exe", 
 40              "?:\\Windows\\System32\\WerFault.exe", 
 41              "?:\\Windows\\SysWOW64\\WerFault.exe") and 
 42  (
 43    /* Slack */
 44    (process.parent.name : "slack.exe" and not
 45      (
 46        (
 47          process.executable : (
 48            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
 49            "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
 50            "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin*\\Zoom.exe",
 51            "?:\\Windows\\System32\\rundll32.exe",
 52            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
 53            "?:\\Windows\\System32\\notepad.exe",
 54            "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
 55          ) and process.code_signature.trusted == true
 56        ) or
 57        (
 58          process.code_signature.subject_name : (
 59            "Slack Technologies, Inc.",
 60            "Slack Technologies, LLC"
 61          ) and process.code_signature.trusted == true
 62        ) or
 63        (
 64          (process.name : "powershell.exe" and process.command_line : "powershell.exe -c Invoke-WebRequest -Uri https://slackb.com/*") or
 65          (process.name : "cmd.exe" and process.command_line : "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"%windir%\\System32\\rundll32.exe User32.dll,SetFocus 0\"")
 66        )
 67      )
 68    ) or
 69
 70    /* WebEx */
 71    (process.parent.name : ("CiscoCollabHost.exe", "WebexHost.exe") and not
 72      (
 73        (
 74          process.executable : (
 75            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
 76            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
 77            "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
 78          ) and process.code_signature.trusted == true
 79        ) or
 80        (
 81          process.code_signature.subject_name : (
 82            "Cisco Systems, Inc.",
 83            "Cisco WebEx LLC",
 84            "Cisco Systems Inc."
 85          ) and process.code_signature.trusted == true
 86        )
 87      )
 88    ) or
 89
 90    /* Teams */
 91    (process.parent.name : "Teams.exe" and not
 92      (
 93        (
 94          process.executable : (
 95            "?:\\Windows\\BrowserCore\\BrowserCore.exe",
 96            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
 97            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", 
 98            "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe"
 99          ) and process.code_signature.trusted == true
100        ) or
101        (
102          process.code_signature.subject_name : (
103            "Microsoft Corporation",
104            "Microsoft 3rd Party Application Component"
105          ) and process.code_signature.trusted == true
106        ) or
107        (
108          (process.name : "taskkill.exe" and process.args : "Teams.exe")
109        )
110      )
111    ) or
112
113    /* Discord */
114    (process.parent.name : "Discord.exe" and not
115      (
116        (
117          process.executable : (
118            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
119            "?:\\Windows\\System32\\reg.exe",
120            "?:\\Windows\\SysWOW64\\reg.exe"
121          ) and process.code_signature.trusted == true
122        ) or
123        (
124          process.code_signature.subject_name : (
125            "Discord Inc."
126          ) and process.code_signature.trusted == true
127        ) or
128        (
129          process.name : "cmd.exe" and
130          (
131            process.command_line : (
132              "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"chcp\"",
133              "C:\\WINDOWS\\system32\\cmd.exe /q /d /s /c \"C:\\Program^ Files\\NVIDIA^ Corporation\\NVSMI\\nvidia-smi.exe\""
134            ) or
135            process.args : (
136              "C:\\WINDOWS/System32/nvidia-smi.exe",
137              "C:\\WINDOWS\\System32\\nvidia-smi.exe",
138              "C:\\Windows\\System32\\DriverStore\\FileRepository/*/nvidia-smi.exe*"
139            )
140          )
141        )
142      )
143    ) or
144
145    /* WhatsApp */
146    (process.parent.name : "Whatsapp.exe" and not
147      (
148        (
149          process.executable : (
150            "?:\\Windows\\System32\\reg.exe",
151            "?:\\Windows\\SysWOW64\\reg.exe"
152          ) and process.code_signature.trusted == true
153        ) or
154        (
155          process.code_signature.subject_name : (
156            "WhatsApp LLC",
157            "WhatsApp, Inc",
158            "24803D75-212C-471A-BC57-9EF86AB91435"
159          ) and process.code_signature.trusted == true
160        ) or
161        (
162          (process.name : "cmd.exe" and process.command_line : "C:\\Windows\\system32\\cmd.exe /d /s /c \"C:\\Windows\\system32\\wbem\\wmic.exe*")
163        )
164      )
165    ) or
166
167    /* Zoom */
168    (process.parent.name : "Zoom.exe" and not
169      (
170        (
171          process.executable : (
172            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
173            "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
174            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe"
175          ) and process.code_signature.trusted == true
176        ) or
177        (
178          process.code_signature.subject_name : (
179            "Zoom Video Communications, Inc."
180          ) and process.code_signature.trusted == true
181        )
182      )
183    ) or
184
185    /* Thunderbird */
186    (process.parent.name : "thunderbird.exe" and not
187      (
188        (
189          process.executable : (
190            "?:\\Windows\\splwow64.exe", 
191            "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.EXE"
192          ) and process.code_signature.trusted == true
193        ) or
194        (
195          process.code_signature.subject_name : (
196            "Mozilla Corporation"
197          ) and process.code_signature.trusted == true
198        )
199      )
200    )
201  )
202'''
203note = """## Triage and analysis
204
205> **Disclaimer**:
206> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
207
208### Investigating Suspicious Communication App Child Process
209
210Communication apps like Slack, WebEx, and Teams are integral to modern workflows, facilitating collaboration. However, adversaries can exploit these apps by spawning unauthorized child processes, potentially masquerading as legitimate ones or exploiting vulnerabilities to execute malicious code. The detection rule identifies such anomalies by monitoring child processes of these apps, ensuring they are trusted and signed by recognized entities. This helps in identifying potential threats that deviate from expected behavior, thus safeguarding against unauthorized access and execution.
211
212### Possible investigation steps
213
214- Review the process details, including the parent process name and executable path, to confirm if the child process is expected or unusual for the communication app in question.
215- Check the code signature of the suspicious child process to determine if it is trusted and signed by a recognized entity, as specified in the query.
216- Investigate the command line arguments of the child process to identify any potentially malicious or unexpected commands being executed.
217- Correlate the event with other logs or alerts to identify any related suspicious activities or patterns, such as repeated unauthorized child process executions.
218- Assess the user account associated with the process to determine if it has been compromised or is exhibiting unusual behavior.
219- Examine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server.
220
221### False positive analysis
222
223- Legitimate software updates or installations may trigger the rule if they spawn child processes from communication apps. Users can create exceptions for known update processes by verifying their code signatures and paths.
224- Custom scripts or automation tools that interact with communication apps might be flagged. Users should ensure these scripts are signed and located in trusted directories, then add them to the exception list.
225- Certain administrative tasks, such as using command-line tools like cmd.exe or powershell.exe, may be mistakenly identified as suspicious. Users can whitelist specific command lines or arguments that are regularly used in their environment.
226- Some third-party integrations with communication apps may generate child processes that are not inherently malicious. Users should verify the legitimacy of these integrations and add them to the trusted list if they are deemed safe.
227- Regularly review and update the list of trusted code signatures and executable paths to ensure that legitimate processes are not inadvertently flagged as suspicious.
228
229### Response and remediation
230
231- Immediately isolate the affected system from the network to prevent further unauthorized access or execution of malicious code.
232- Terminate any suspicious child processes identified by the detection rule that are not signed by recognized entities or are executing from unexpected locations.
233- Conduct a thorough review of the affected communication app's logs and configurations to identify any unauthorized changes or access patterns.
234- Restore the affected system from a known good backup if malicious activity is confirmed, ensuring that the backup is free from compromise.
235- Update the communication app and all related software to the latest versions to patch any known vulnerabilities that may have been exploited.
236- Implement application whitelisting to ensure only trusted and signed applications can execute, reducing the risk of similar threats.
237- Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and to assess the potential impact on other systems."""
238
239
240[[rule.threat]]
241framework = "MITRE ATT&CK"
242[[rule.threat.technique]]
243id = "T1036"
244name = "Masquerading"
245reference = "https://attack.mitre.org/techniques/T1036/"
246[[rule.threat.technique.subtechnique]]
247id = "T1036.001"
248name = "Invalid Code Signature"
249reference = "https://attack.mitre.org/techniques/T1036/001/"
250
251[[rule.threat.technique.subtechnique]]
252id = "T1036.005"
253name = "Match Legitimate Resource Name or Location"
254reference = "https://attack.mitre.org/techniques/T1036/005/"
255
256
257[[rule.threat.technique]]
258id = "T1055"
259name = "Process Injection"
260reference = "https://attack.mitre.org/techniques/T1055/"
261
262
263[rule.threat.tactic]
264id = "TA0005"
265name = "Defense Evasion"
266reference = "https://attack.mitre.org/tactics/TA0005/"
267[[rule.threat]]
268framework = "MITRE ATT&CK"
269[[rule.threat.technique]]
270id = "T1554"
271name = "Compromise Host Software Binary"
272reference = "https://attack.mitre.org/techniques/T1554/"
273
274
275[rule.threat.tactic]
276id = "TA0003"
277name = "Persistence"
278reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Suspicious Communication App Child Process

Communication apps like Slack, WebEx, and Teams are integral to modern workflows, facilitating collaboration. However, adversaries can exploit these apps by spawning unauthorized child processes, potentially masquerading as legitimate ones or exploiting vulnerabilities to execute malicious code. The detection rule identifies such anomalies by monitoring child processes of these apps, ensuring they are trusted and signed by recognized entities. This helps in identifying potential threats that deviate from expected behavior, thus safeguarding against unauthorized access and execution.

Possible investigation steps

  • Review the process details, including the parent process name and executable path, to confirm if the child process is expected or unusual for the communication app in question.
  • Check the code signature of the suspicious child process to determine if it is trusted and signed by a recognized entity, as specified in the query.
  • Investigate the command line arguments of the child process to identify any potentially malicious or unexpected commands being executed.
  • Correlate the event with other logs or alerts to identify any related suspicious activities or patterns, such as repeated unauthorized child process executions.
  • Assess the user account associated with the process to determine if it has been compromised or is exhibiting unusual behavior.
  • Examine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server.

False positive analysis

  • Legitimate software updates or installations may trigger the rule if they spawn child processes from communication apps. Users can create exceptions for known update processes by verifying their code signatures and paths.
  • Custom scripts or automation tools that interact with communication apps might be flagged. Users should ensure these scripts are signed and located in trusted directories, then add them to the exception list.
  • Certain administrative tasks, such as using command-line tools like cmd.exe or powershell.exe, may be mistakenly identified as suspicious. Users can whitelist specific command lines or arguments that are regularly used in their environment.
  • Some third-party integrations with communication apps may generate child processes that are not inherently malicious. Users should verify the legitimacy of these integrations and add them to the trusted list if they are deemed safe.
  • Regularly review and update the list of trusted code signatures and executable paths to ensure that legitimate processes are not inadvertently flagged as suspicious.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or execution of malicious code.
  • Terminate any suspicious child processes identified by the detection rule that are not signed by recognized entities or are executing from unexpected locations.
  • Conduct a thorough review of the affected communication app's logs and configurations to identify any unauthorized changes or access patterns.
  • Restore the affected system from a known good backup if malicious activity is confirmed, ensuring that the backup is free from compromise.
  • Update the communication app and all related software to the latest versions to patch any known vulnerabilities that may have been exploited.
  • Implement application whitelisting to ensure only trusted and signed applications can execute, reducing the risk of similar threats.
  • Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and to assess the potential impact on other systems.

Related rules

to-top