Unusual Child Process from a System Virtual Process

 1[metadata]
 2creation_date = "2020/08/19"
 3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/17"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection."
12from = "now-9m"
13index = [
14    "winlogbeat-*",
15    "logs-endpoint.events.process-*",
16    "logs-windows.forwarded*",
17    "logs-windows.sysmon_operational-*",
18    "endgame-*",
19    "logs-system.security*",
20    "logs-m365_defender.event-*",
21    "logs-sentinel_one_cloud_funnel.*",
22]
23language = "eql"
24license = "Elastic License v2"
25name = "Unusual Child Process from a System Virtual Process"
26risk_score = 73
27rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1"
28severity = "high"
29tags = [
30    "Domain: Endpoint",
31    "OS: Windows",
32    "Use Case: Threat Detection",
33    "Tactic: Defense Evasion",
34    "Data Source: Elastic Endgame",
35    "Data Source: Elastic Defend",
36    "Data Source: System",
37    "Data Source: Microsoft Defender for Endpoint",
38    "Data Source: Sysmon",
39    "Data Source: SentinelOne",
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where host.os.type == "windows" and event.type == "start" and
46  process.parent.pid == 4 and process.executable : "?*" and
47  not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1055"
55name = "Process Injection"
56reference = "https://attack.mitre.org/techniques/T1055/"
57
58
59[rule.threat.tactic]
60id = "TA0005"
61name = "Defense Evasion"
62reference = "https://attack.mitre.org/tactics/TA0005/"