Suspicious Communication App Child Process
Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/04"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/22"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the
11communication app or the exploitation of a vulnerability on the application causing it to execute code.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious Communication App Child Process"
18risk_score = 47
19rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880"
20severity = "medium"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Defense Evasion",
26 "Tactic: Persistence",
27 "Data Source: Elastic Defend",
28 "Resources: Investigation Guide",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34process where host.os.type == "windows" and event.type == "start" and
35 (
36 /* Slack */
37 (process.parent.name : "slack.exe" and not
38 (
39 (
40 process.executable : (
41 "?:\\Program Files\\*",
42 "?:\\Program Files (x86)\\*",
43 "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
44 "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
45 "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin*\\Zoom.exe",
46 "?:\\Windows\\System32\\rundll32.exe",
47 "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
48 "?:\\Windows\\System32\\notepad.exe",
49 "?:\\Windows\\System32\\WerFault.exe",
50 "?:\\Windows\\SysWOW64\\WerFault.exe",
51 "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
52 ) and process.code_signature.trusted == true
53 ) or
54 (
55 process.code_signature.subject_name : (
56 "Slack Technologies, Inc.",
57 "Slack Technologies, LLC"
58 ) and process.code_signature.trusted == true
59 ) or
60 (
61 (process.name : "powershell.exe" and process.command_line : "powershell.exe -c Invoke-WebRequest -Uri https://slackb.com/*") or
62 (process.name : "cmd.exe" and process.command_line : "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"%windir%\\System32\\rundll32.exe User32.dll,SetFocus 0\"")
63 )
64 )
65 ) or
66
67 /* WebEx */
68 (process.parent.name : ("CiscoCollabHost.exe", "WebexHost.exe") and not
69 (
70 (
71 process.executable : (
72 "?:\\Program Files\\*",
73 "?:\\Program Files (x86)\\*",
74 "?:\\Windows\\System32\\WerFault.exe",
75 "?:\\Windows\\SysWOW64\\WerFault.exe",
76 "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
77 "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
78 "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
79 ) and process.code_signature.trusted == true
80 ) or
81 (
82 process.code_signature.subject_name : (
83 "Cisco Systems, Inc.",
84 "Cisco WebEx LLC",
85 "Cisco Systems Inc."
86 ) and process.code_signature.trusted == true
87 )
88 )
89 ) or
90
91 /* Teams */
92 (process.parent.name : "Teams.exe" and not
93 (
94 (
95 process.executable : (
96 "?:\\Program Files\\*",
97 "?:\\Program Files (x86)\\*",
98 "?:\\Windows\\System32\\WerFault.exe",
99 "?:\\Windows\\SysWOW64\\WerFault.exe",
100 "?:\\Windows\\BrowserCore\\BrowserCore.exe",
101 "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
102 "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe"
103 ) and process.code_signature.trusted == true
104 ) or
105 (
106 process.code_signature.subject_name : (
107 "Microsoft Corporation",
108 "Microsoft 3rd Party Application Component"
109 ) and process.code_signature.trusted == true
110 ) or
111 (
112 (process.name : "taskkill.exe" and process.args : "Teams.exe")
113 )
114 )
115 ) or
116
117 /* Discord */
118 (process.parent.name : "Discord.exe" and not
119 (
120 (
121 process.executable : (
122 "?:\\Program Files\\*",
123 "?:\\Program Files (x86)\\*",
124 "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
125 "?:\\Windows\\System32\\reg.exe",
126 "?:\\Windows\\SysWOW64\\reg.exe",
127 "?:\\Windows\\System32\\WerFault.exe",
128 "?:\\Windows\\SysWOW64\\WerFault.exe"
129 ) and process.code_signature.trusted == true
130 ) or
131 (
132 process.code_signature.subject_name : (
133 "Discord Inc."
134 ) and process.code_signature.trusted == true
135 ) or
136 (
137 process.name : "cmd.exe" and
138 (
139 process.command_line : (
140 "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"chcp\"",
141 "C:\\WINDOWS\\system32\\cmd.exe /q /d /s /c \"C:\\Program^ Files\\NVIDIA^ Corporation\\NVSMI\\nvidia-smi.exe\""
142 ) or
143 process.args : (
144 "C:\\WINDOWS/System32/nvidia-smi.exe",
145 "C:\\WINDOWS\\System32\\nvidia-smi.exe",
146 "C:\\Windows\\System32\\DriverStore\\FileRepository/*/nvidia-smi.exe*"
147 )
148 )
149 )
150 )
151 ) or
152
153 /* WhatsApp */
154 (process.parent.name : "Whatsapp.exe" and not
155 (
156 (
157 process.executable : (
158 "?:\\Program Files\\*",
159 "?:\\Program Files (x86)\\*",
160 "?:\\Windows\\System32\\WerFault.exe",
161 "?:\\Windows\\SysWOW64\\WerFault.exe",
162 "?:\\Windows\\System32\\reg.exe",
163 "?:\\Windows\\SysWOW64\\reg.exe"
164 ) and process.code_signature.trusted == true
165 ) or
166 (
167 process.code_signature.subject_name : (
168 "WhatsApp LLC",
169 "WhatsApp, Inc",
170 "24803D75-212C-471A-BC57-9EF86AB91435"
171 ) and process.code_signature.trusted == true
172 ) or
173 (
174 (process.name : "cmd.exe" and process.command_line : "C:\\Windows\\system32\\cmd.exe /d /s /c \"C:\\Windows\\system32\\wbem\\wmic.exe*")
175 )
176 )
177 ) or
178
179 /* Zoom */
180 (process.parent.name : "Zoom.exe" and not
181 (
182 (
183 process.executable : (
184 "?:\\Program Files\\*",
185 "?:\\Program Files (x86)\\*",
186 "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
187 "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
188 "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
189 "?:\\Windows\\System32\\WerFault.exe",
190 "?:\\Windows\\SysWOW64\\WerFault.exe"
191 ) and process.code_signature.trusted == true
192 ) or
193 (
194 process.code_signature.subject_name : (
195 "Zoom Video Communications, Inc."
196 ) and process.code_signature.trusted == true
197 )
198 )
199 ) or
200
201 /* Thunderbird */
202 (process.parent.name : "thunderbird.exe" and not
203 (
204 (
205 process.executable : (
206 "?:\\Program Files\\*",
207 "?:\\Program Files (x86)\\*",
208 "?:\\Windows\\System32\\WerFault.exe",
209 "?:\\Windows\\SysWOW64\\WerFault.exe",
210 "?:\\Windows\\splwow64.exe"
211 ) and process.code_signature.trusted == true
212 ) or
213 (
214 process.code_signature.subject_name : (
215 "Mozilla Corporation"
216 ) and process.code_signature.trusted == true
217 )
218 )
219 )
220 )
221'''
222note = """## Triage and analysis
223
224> **Disclaimer**:
225> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
226
227### Investigating Suspicious Communication App Child Process
228
229Communication apps like Slack, WebEx, and Teams are integral to modern workflows, facilitating collaboration. However, adversaries can exploit these apps by spawning unauthorized child processes, potentially masquerading as legitimate ones or exploiting vulnerabilities to execute malicious code. The detection rule identifies such anomalies by monitoring child processes of these apps, ensuring they are trusted and signed by recognized entities. This helps in identifying potential threats that deviate from expected behavior, thus safeguarding against unauthorized access and execution.
230
231### Possible investigation steps
232
233- Review the process details, including the parent process name and executable path, to confirm if the child process is expected or unusual for the communication app in question.
234- Check the code signature of the suspicious child process to determine if it is trusted and signed by a recognized entity, as specified in the query.
235- Investigate the command line arguments of the child process to identify any potentially malicious or unexpected commands being executed.
236- Correlate the event with other logs or alerts to identify any related suspicious activities or patterns, such as repeated unauthorized child process executions.
237- Assess the user account associated with the process to determine if it has been compromised or is exhibiting unusual behavior.
238- Examine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server.
239
240### False positive analysis
241
242- Legitimate software updates or installations may trigger the rule if they spawn child processes from communication apps. Users can create exceptions for known update processes by verifying their code signatures and paths.
243- Custom scripts or automation tools that interact with communication apps might be flagged. Users should ensure these scripts are signed and located in trusted directories, then add them to the exception list.
244- Certain administrative tasks, such as using command-line tools like cmd.exe or powershell.exe, may be mistakenly identified as suspicious. Users can whitelist specific command lines or arguments that are regularly used in their environment.
245- Some third-party integrations with communication apps may generate child processes that are not inherently malicious. Users should verify the legitimacy of these integrations and add them to the trusted list if they are deemed safe.
246- Regularly review and update the list of trusted code signatures and executable paths to ensure that legitimate processes are not inadvertently flagged as suspicious.
247
248### Response and remediation
249
250- Immediately isolate the affected system from the network to prevent further unauthorized access or execution of malicious code.
251- Terminate any suspicious child processes identified by the detection rule that are not signed by recognized entities or are executing from unexpected locations.
252- Conduct a thorough review of the affected communication app's logs and configurations to identify any unauthorized changes or access patterns.
253- Restore the affected system from a known good backup if malicious activity is confirmed, ensuring that the backup is free from compromise.
254- Update the communication app and all related software to the latest versions to patch any known vulnerabilities that may have been exploited.
255- Implement application whitelisting to ensure only trusted and signed applications can execute, reducing the risk of similar threats.
256- Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and to assess the potential impact on other systems."""
257
258
259[[rule.threat]]
260framework = "MITRE ATT&CK"
261[[rule.threat.technique]]
262id = "T1036"
263name = "Masquerading"
264reference = "https://attack.mitre.org/techniques/T1036/"
265[[rule.threat.technique.subtechnique]]
266id = "T1036.001"
267name = "Invalid Code Signature"
268reference = "https://attack.mitre.org/techniques/T1036/001/"
269
270[[rule.threat.technique.subtechnique]]
271id = "T1036.005"
272name = "Match Legitimate Name or Location"
273reference = "https://attack.mitre.org/techniques/T1036/005/"
274
275
276[[rule.threat.technique]]
277id = "T1055"
278name = "Process Injection"
279reference = "https://attack.mitre.org/techniques/T1055/"
280
281
282[rule.threat.tactic]
283id = "TA0005"
284name = "Defense Evasion"
285reference = "https://attack.mitre.org/tactics/TA0005/"
286[[rule.threat]]
287framework = "MITRE ATT&CK"
288[[rule.threat.technique]]
289id = "T1554"
290name = "Compromise Host Software Binary"
291reference = "https://attack.mitre.org/techniques/T1554/"
292
293
294[rule.threat.tactic]
295id = "TA0003"
296name = "Persistence"
297reference = "https://attack.mitre.org/tactics/TA0003/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Suspicious Communication App Child Process
Communication apps like Slack, WebEx, and Teams are integral to modern workflows, facilitating collaboration. However, adversaries can exploit these apps by spawning unauthorized child processes, potentially masquerading as legitimate ones or exploiting vulnerabilities to execute malicious code. The detection rule identifies such anomalies by monitoring child processes of these apps, ensuring they are trusted and signed by recognized entities. This helps in identifying potential threats that deviate from expected behavior, thus safeguarding against unauthorized access and execution.
Possible investigation steps
- Review the process details, including the parent process name and executable path, to confirm if the child process is expected or unusual for the communication app in question.
- Check the code signature of the suspicious child process to determine if it is trusted and signed by a recognized entity, as specified in the query.
- Investigate the command line arguments of the child process to identify any potentially malicious or unexpected commands being executed.
- Correlate the event with other logs or alerts to identify any related suspicious activities or patterns, such as repeated unauthorized child process executions.
- Assess the user account associated with the process to determine if it has been compromised or is exhibiting unusual behavior.
- Examine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server.
False positive analysis
- Legitimate software updates or installations may trigger the rule if they spawn child processes from communication apps. Users can create exceptions for known update processes by verifying their code signatures and paths.
- Custom scripts or automation tools that interact with communication apps might be flagged. Users should ensure these scripts are signed and located in trusted directories, then add them to the exception list.
- Certain administrative tasks, such as using command-line tools like cmd.exe or powershell.exe, may be mistakenly identified as suspicious. Users can whitelist specific command lines or arguments that are regularly used in their environment.
- Some third-party integrations with communication apps may generate child processes that are not inherently malicious. Users should verify the legitimacy of these integrations and add them to the trusted list if they are deemed safe.
- Regularly review and update the list of trusted code signatures and executable paths to ensure that legitimate processes are not inadvertently flagged as suspicious.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or execution of malicious code.
- Terminate any suspicious child processes identified by the detection rule that are not signed by recognized entities or are executing from unexpected locations.
- Conduct a thorough review of the affected communication app's logs and configurations to identify any unauthorized changes or access patterns.
- Restore the affected system from a known good backup if malicious activity is confirmed, ensuring that the backup is free from compromise.
- Update the communication app and all related software to the latest versions to patch any known vulnerabilities that may have been exploited.
- Implement application whitelisting to ensure only trusted and signed applications can execute, reducing the risk of similar threats.
- Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and to assess the potential impact on other systems.
Related rules
- Image File Execution Options Injection
- Installation of Security Support Provider
- Office Test Registry Persistence
- Persistence via Hidden Run Key Detected
- Persistence via a Windows Installer