Unusual Child Process from a System Virtual Process

  1[metadata]
  2creation_date = "2020/08/19"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/04/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection."
 10from = "now-9m"
 11index = [
 12    "endgame-*",
 13    "logs-endpoint.events.process-*",
 14    "logs-m365_defender.event-*",
 15    "logs-sentinel_one_cloud_funnel.*",
 16    "logs-system.security*",
 17    "logs-windows.forwarded*",
 18    "logs-windows.sysmon_operational-*",
 19    "winlogbeat-*",
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Unusual Child Process from a System Virtual Process"
 24risk_score = 73
 25rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1"
 26severity = "high"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Defense Evasion",
 32    "Data Source: Elastic Endgame",
 33    "Data Source: Elastic Defend",
 34    "Data Source: Windows Security Event Logs",
 35    "Data Source: Microsoft Defender XDR",
 36    "Data Source: Sysmon",
 37    "Data Source: SentinelOne",
 38    "Resources: Investigation Guide",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44process where host.os.type == "windows" and event.type == "start" and
 45  process.parent.pid == 4 and process.executable : "?*" and
 46  not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe", "HotPatch")
 47'''
 48
 49note = """## Triage and analysis
 50
 51### Investigating Unusual Child Process from a System Virtual Process
 52
 53#### Possible investigation steps
 54
 55- Does the alert prove a real PID 4 child outside normal System-process exclusions?
 56  - Focus: alert-local `process.parent.pid`, `process.parent.name`, `process.parent.executable`, `process.executable`, and `process.command_line`.
 57  - Implication: escalate when PID 4 spawned a non-standard user-mode child whose path or command does not fit a signed system helper; lower suspicion only when identity and context fit one recognized boot, servicing, driver, security, or virtualization helper.
 58- Is the child binary identity consistent with the claimed system component?
 59  - Focus: `process.executable`, `process.hash.sha256`, `process.pe.original_file_name`, `process.code_signature.subject_name`, and `process.code_signature.trusted`.
 60  - Implication: escalate when path, hash, original file name, or signer conflicts with the claimed binary, especially from user-writable or unusual system paths; lower suspicion only when signer, hash history, and path converge on one recognized product.
 61- Does the child show drop, rename, or hollowing clues at start?
 62  - Focus: `process.Ext.relative_file_creation_time`, `process.Ext.relative_file_name_modify_time`, `process.Ext.created_suspended`, and `process.command_line`. $investigate_3
 63  - Implication: escalate when the executable is newly created or renamed, starts suspended, or invokes script/LOLBins; older stable timing and a product-consistent command lower concern but do not clear abnormal parentage alone.
 64- Which account, session, and token context owned the child?
 65  - Focus: `user.id`, `process.Ext.authentication_id`, `process.Ext.session_info.logon_type`, and `process.Ext.token.integrity_level_name`.
 66  - Implication: escalate when a PID 4 child appears in an interactive, remote, or unexpected user context, or carries a token that does not fit the helper role; service or boot context lowers concern only when identity and behavior align.
 67- Did the child launch follow-on processes that reveal intent?
 68  - Why: injected code can use a trusted or privileged process as a launcher, so the child process's descendants may be the first visible operator action.
 69  - Focus: child process events from `process.entity_id`, reading `process.executable`, `process.command_line`, and `process.Ext.ancestry`. $investigate_1
 70  - Implication: escalate when descendants are scripting engines, admin tools, renamed binaries, or commands that do not fit the child identity; no descendants lowers urgency but does not clear abnormal identity, session, or timing.
 71- If local evidence remains suspicious or unresolved, does the same child identity appear outside this host?
 72  - Focus: same-host related alerts plus process starts for `process.hash.sha256`, `process.executable`, and `process.code_signature.subject_name`. $investigate_2 $investigate_0
 73  - Implication: broaden scope when the same child identity, signer mismatch, or descendant pattern appears on unrelated hosts; keep localized only when confined to one clean workflow on one host.
 74- Escalate on abnormal or contradictory parentage, identity, start-state, session/token, descendant, or scope evidence; close only when all support one signed workflow; preserve and escalate when mixed or incomplete.
 75
 76### False positive analysis
 77
 78- Endpoint security, virtualization, hardware, driver, servicing, or boot workflows can legitimately spawn signed helpers from PID 4. Confirm `process.executable`, `process.hash.sha256`, `process.code_signature.subject_name`, session/token context, command line, start-state timing, and descendants all align with the same product or Microsoft servicing sequence. Use inventory or change records only after telemetry matches; if unavailable, require the same stable child identity and bounded descendant pattern to recur for the same `host.id` across prior alerts from this rule before exceptioning.
 79- Before creating an exception, require recurrence for the same `host.id` plus stable `process.hash.sha256`, `process.executable`, `process.code_signature.subject_name`, and command or descendant pattern. Avoid exceptions on `process.parent.pid`, `process.name`, or the System parent condition alone.
 80
 81### Response and remediation
 82
 83- If confirmed benign, reverse any temporary containment and document the signed maintenance, security, driver, virtualization, or servicing workflow that matched the child identity, session/token context, command line, and descendant process pattern. Create an exception only after the same bounded pattern recurs.
 84- If suspicious but unconfirmed, preserve the alert event, child and parent entity IDs, binary identity, command line, signer, session/token context, and descendant process events before containment. Apply reversible containment first; isolate only if the host role can tolerate it and the child or descendants show active suspicious behavior.
 85- If confirmed malicious, isolate the host when process identity, session/token context, start-state clues, or descendant behavior establish unauthorized activity. Before termination, record the child and descendant process identifiers, command lines, hashes, signer details, and timeline evidence. Terminate the malicious child and descendants only after preservation, then remove only confirmed malicious artifacts or persistence changes identified during response and scope other hosts for the same child identity.
 86- Post-incident hardening should determine why the System process spawned the child, review the responsible driver, service, security product, or exploit path, retain process telemetry needed for PID 4 parentage and descendant analysis, and document any adjacent blind spots for follow-up.
 87"""
 88
 89setup = """## Setup
 90
 91This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 92
 93Setup instructions: https://ela.st/install-elastic-defend
 94
 95### Additional data sources
 96
 97This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 98
 99- [Microsoft Defender XDR](https://ela.st/m365-defender)
100- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
101- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
102- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
103"""
104
105[rule.investigation_fields]
106field_names = [
107    "@timestamp",
108    "host.id",
109    "user.id",
110    "process.entity_id",
111    "process.parent.pid",
112    "process.executable",
113    "process.command_line",
114    "process.hash.sha256",
115    "process.pe.original_file_name",
116    "process.code_signature.subject_name",
117    "process.code_signature.trusted",
118    "process.Ext.relative_file_creation_time",
119    "process.Ext.created_suspended",
120    "process.Ext.session_info.logon_type",
121    "process.Ext.token.integrity_level_name",
122]
123
124[transform]
125
126[[transform.investigate]]
127label = "Alerts associated with the host in the last 48h"
128description = ""
129providers = [
130  [
131    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
132    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
133  ]
134]
135relativeFrom = "now-48h/h"
136relativeTo = "now"
137
138[[transform.investigate]]
139label = "Process descendants spawned by the System-spawned child"
140description = ""
141providers = [
142  [
143    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
144    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
145    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
146    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
147  ]
148]
149relativeFrom = "now-1h"
150relativeTo = "now"
151
152[[transform.investigate]]
153label = "Process starts for the same child identity"
154description = ""
155providers = [
156  [
157    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
158    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
159    { excluded = false, field = "process.hash.sha256", queryType = "phrase", value = "{{process.hash.sha256}}", valueType = "string" }
160  ],
161  [
162    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
163    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
164    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{process.executable}}", valueType = "string" }
165  ]
166]
167relativeFrom = "now-48h/h"
168relativeTo = "now"
169
170[[transform.investigate]]
171label = "File events for the child executable path"
172description = ""
173providers = [
174  [
175    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
176    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
177    { excluded = false, field = "file.path", queryType = "phrase", value = "{{process.executable}}", valueType = "string" }
178  ]
179]
180relativeFrom = "now-1h"
181relativeTo = "now"
182
183[[rule.threat]]
184framework = "MITRE ATT&CK"
185[[rule.threat.technique]]
186id = "T1055"
187name = "Process Injection"
188reference = "https://attack.mitre.org/techniques/T1055/"
189
190[rule.threat.tactic]
191id = "TA0005"
192name = "Defense Evasion"
193reference = "https://attack.mitre.org/tactics/TA0005/"