Unusual Child Process from a System Virtual Process
Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/19"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/10"
6min_stack_version = "8.13.0"
7min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
8
9[rule]
10author = ["Elastic"]
11description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection."
12from = "now-9m"
13index = [
14 "winlogbeat-*",
15 "logs-endpoint.events.process-*",
16 "logs-windows.forwarded*",
17 "logs-windows.sysmon_operational-*",
18 "endgame-*",
19 "logs-system.security*",
20 "logs-m365_defender.event-*",
21 "logs-sentinel_one_cloud_funnel.*",
22]
23language = "eql"
24license = "Elastic License v2"
25name = "Unusual Child Process from a System Virtual Process"
26risk_score = 73
27rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1"
28severity = "high"
29tags = [
30 "Domain: Endpoint",
31 "OS: Windows",
32 "Use Case: Threat Detection",
33 "Tactic: Defense Evasion",
34 "Data Source: Elastic Endgame",
35 "Data Source: Elastic Defend",
36 "Data Source: System",
37 "Data Source: Microsoft Defender for Endpoint",
38 "Data Source: Sysmon",
39 "Data Source: SentinelOne",
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where host.os.type == "windows" and event.type == "start" and
46 process.parent.pid == 4 and process.executable : "?*" and
47 not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1055"
55name = "Process Injection"
56reference = "https://attack.mitre.org/techniques/T1055/"
57
58
59[rule.threat.tactic]
60id = "TA0005"
61name = "Defense Evasion"
62reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Attempt to Install Kali Linux via WSL
- Windows Subsystem for Linux Enabled via Dism Utility
- Suspicious CertUtil Commands
- Windows Firewall Disabled via PowerShell
- IIS HTTP Logging Disabled