Unusual Parent-Child Relationship

  1[metadata]
  2creation_date = "2020/02/18"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[transform]
  8[[transform.osquery]]
  9label = "Osquery - Retrieve DNS Cache"
 10query = "SELECT * FROM dns_cache"
 11
 12[[transform.osquery]]
 13label = "Osquery - Retrieve All Services"
 14query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"
 15
 16[[transform.osquery]]
 17label = "Osquery - Retrieve Services Running on User Accounts"
 18query = """
 19SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE
 20NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR
 21user_account == null)
 22"""
 23
 24[[transform.osquery]]
 25label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link"
 26query = """
 27SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,
 28services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =
 29authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
 30"""
 31
 32
 33[rule]
 34author = ["Elastic"]
 35description = """
 36Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange
 37activity on a system.
 38"""
 39from = "now-9m"
 40index = [
 41    "endgame-*",
 42    "logs-crowdstrike.fdr*",
 43    "logs-endpoint.events.process-*",
 44    "logs-m365_defender.event-*",
 45    "logs-sentinel_one_cloud_funnel.*",
 46    "logs-system.security*",
 47    "logs-windows.forwarded*",
 48    "logs-windows.sysmon_operational-*",
 49    "winlogbeat-*",
 50]
 51language = "eql"
 52license = "Elastic License v2"
 53name = "Unusual Parent-Child Relationship"
 54note = """## Triage and analysis
 55
 56### Investigating Unusual Parent-Child Relationship
 57
 58Windows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.
 59
 60This rule uses this information to spot suspicious parent and child processes.
 61
 62> **Note**:
 63> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
 64
 65#### Possible investigation steps
 66
 67- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 68- Investigate other alerts associated with the user/host during the past 48 hours.
 69- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.
 70- Examine the host for derived artifacts that indicate suspicious activities:
 71  - Analyze the process executable using a private sandboxed analysis system.
 72  - Observe and collect information about the following activities in both the sandbox and the alert subject host:
 73    - Attempts to contact external domains and addresses.
 74      - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.
 75      - Examine the DNS cache for suspicious or anomalous entries.
 76        - $osquery_0
 77    - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.
 78    - Examine the host services for suspicious or anomalous entries.
 79      - $osquery_1
 80      - $osquery_2
 81      - $osquery_3
 82  - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
 83- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.
 84
 85
 86### False positive analysis
 87
 88- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.
 89
 90### Response and remediation
 91
 92- Initiate the incident response process based on the outcome of the triage.
 93- Isolate the involved host to prevent further post-compromise behavior.
 94- If the triage identified malware, search the environment for additional compromised hosts.
 95  - Implement temporary network rules, procedures, and segmentation to contain the malware.
 96  - Stop suspicious processes.
 97  - Immediately block the identified indicators of compromise (IoCs).
 98  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
 99- Remove and block malicious artifacts identified during triage.
100- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
101- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
102- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
103"""
104references = [
105    "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png",
106    "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/",
107    "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit",
108]
109risk_score = 47
110rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b"
111severity = "medium"
112tags = [
113    "Domain: Endpoint",
114    "OS: Windows",
115    "Use Case: Threat Detection",
116    "Tactic: Privilege Escalation",
117    "Resources: Investigation Guide",
118    "Data Source: Elastic Endgame",
119    "Data Source: Elastic Defend",
120    "Data Source: Windows Security Event Logs",
121    "Data Source: Microsoft Defender for Endpoint",
122    "Data Source: Sysmon",
123    "Data Source: SentinelOne",
124    "Data Source: Crowdstrike",
125]
126timestamp_override = "event.ingested"
127type = "eql"
128
129query = '''
130process where host.os.type == "windows" and event.type == "start" and
131process.parent.name != null and
132 (
133   /* suspicious parent processes */
134   (process.name:"autochk.exe" and not process.parent.name:"smss.exe") or
135   (process.name:("fontdrvhost.exe", "dwm.exe") and not process.parent.name:("wininit.exe", "winlogon.exe")) or
136   (process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and not process.parent.name:"svchost.exe") or
137   (process.name:"SearchIndexer.exe" and not process.parent.name:"services.exe") or
138   (process.name:"SearchProtocolHost.exe" and not process.parent.name:("SearchIndexer.exe", "dllhost.exe")) or
139   (process.name:"dllhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or
140   (process.name:"smss.exe" and not process.parent.name:("System", "smss.exe")) or
141   (process.name:"csrss.exe" and not process.parent.name:("smss.exe", "svchost.exe")) or
142   (process.name:"wininit.exe" and not process.parent.name:"smss.exe") or
143   (process.name:"winlogon.exe" and not process.parent.name:"smss.exe") or
144   (process.name:("lsass.exe", "LsaIso.exe") and not process.parent.name:"wininit.exe") or
145   (process.name:"LogonUI.exe" and not process.parent.name:("wininit.exe", "winlogon.exe")) or
146   (process.name:"services.exe" and not process.parent.name:"wininit.exe") or
147   (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe", "svchost.exe")) or
148   (process.name:"spoolsv.exe" and not process.parent.name:"services.exe") or
149   (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe", "ngentask.exe")) or
150   (process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe")) or
151   (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe")) or
152   (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or
153   /* suspicious child processes */
154   (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe", "conhost.exe")) or
155   (process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or
156   (process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe")) or
157   (process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or
158   (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe"))
159  )
160'''
161
162
163[[rule.threat]]
164framework = "MITRE ATT&CK"
165[[rule.threat.technique]]
166id = "T1055"
167name = "Process Injection"
168reference = "https://attack.mitre.org/techniques/T1055/"
169[[rule.threat.technique.subtechnique]]
170id = "T1055.012"
171name = "Process Hollowing"
172reference = "https://attack.mitre.org/techniques/T1055/012/"
173
174
175
176[rule.threat.tactic]
177id = "TA0004"
178name = "Privilege Escalation"
179reference = "https://attack.mitre.org/tactics/TA0004/"

References

• Slides/Hunting MindMaps/PNG/Windows Processes TH.map.png at master · sbousseaden/Slides

  

  Misc Threat Hunting Resources. Contribute to sbousseaden/Slides development by creating an account on GitHub.

  
  Read More

• Standard Windows processes: a brief reference

  

  Useful in forensics analysis and incident response During the analysis phase, after (for example) a system compromization, is very important to know the standard Windows processes, in order to have a ‘baseline’ useful to make a ‘diff’ with the compromised system. On this article, Patrick Olsen has developed a simple list of base processes, focused on Windows 7: Idle and System Created by ntoskrnl.exe via the process manager function, which creates and terminates processes and threads. No visible parent processes System has a static PID of 4 System creates smss.exe There should only be one system process running SMSS — Session Manager First user mode process Parent process is System Base Priority of 11 Username: NT AUTHORITY\SYSTEM Performs delayed file delete/rename changes Loads known dlls Runs from \%systemroot%\System32\smss.exe Creates session 0 (OS services) Creates session 1 (User session) Creates csrss and winlogon then exits, which is why they have no parent process and they both have session ids of 1 Runs within session 0 Only one smss.exe process should be running at one time. The second smss.exe process exits, so you will only see the one running in session 0. There can be more sessions if more users are logged on to the system. 0 and 1 are for a single user logged onto the system. CSRSS.EXE — Client/Server Run Windows subsystem process. Base Priority of 13 \%SystemRoot%\system32\csrss.exe Username: NT AUTHORITY\SYSTEM Creates/Deletes processes and threads, Temp files, etc. In XP its used to draw text based console windows. Under Windows 7, the conhost process now does that functionality. For example, cmd.exe One csrss process per session Its name is often used by malware to hide on systems (CSSRS.EXE, CSRSSS.EXE, etc.) Runs within session 0 WININIT.EXE — Windows Initialization Process Parent to services.exe (SCM), lsass.exe and lsm.exe Created by smss.exe, but since smss.exe exits there is no parent to WININIT. Base Priority of 13 Username: NT AUTHORITY\SYSTEM \%SystemRoot%\system32\wininit.exe Performs user-mode initialization tasks Creates \%windir%\temp Runs within session 0 SERVICES.EXE — Service Control Manager Child to WININIT.EXE Parent to services such at svchost.exe, dllhost.exe, taskhost.exe, spoolsv.exe, etc. Services are defined in SYSTEMCurrentControlSetServices \%SystemRoot%\System32\wininit.exe Username: NT AUTHORITY\SYSTEM Base Priority of 9 Loads a database of services into memory Runs within session 0 There should only be one services.exe process running LSASS.EXE — Local Security Authority Child to WININIT.EXE Only one lsass.exe process %SystemRoot%\System32\lsass.exe Responsible for local security policy to include managing users allowed to login, password policies, writing to the security event log, etc. Often targeted by malware as a means to dump passwords. Also mimicked by malware to hide on a system (lass.exe, lssass.exe, lsasss.exe, etc.). These “fake” names will not be a children of wininit.exe. Base Priority of 9 Username: NT AUTHORITY\SYSTEM Runs within session 0 It should not have child processes SVCHOST.EXE — Service Hosting Process Multiple instances of svchost.exe can/do exist/run %SystemRoot%\System32\svchost.exe Username: Should only be one of three options: NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE Should always have a parent of services.exe Base Priority of 8 Often mimicked (scvhost, svch0st, etc.) When they are mimicked they will not be running as children to services.exe. Command Line: svchost.exe -k <name> -k <name> values should exist within the Software\Microsoft\Windows NT\CurrentVersion\Svchost registry key Often times when malware uses the actual svchost.exe to load their malicious service they will not include -k command line parameters and be running under a username that does not match on of the three listed in bullet 3. They should all be running within session 0 LSM.EXE — Load Session Manager Service Manages the state of terminal server sessions on the local machine. Sends the requests to smss.exe to start new sessions. Child to wininit.exe It should not have child processes Receives logon/off, shell start and termination, connect/disconnects from a session, and lock/unlock desktop %systemroot%\System32\lsm.exe Base Priority of 8 Username: NT AUTHORITY\SYSTEM Runs within session 0 WINLOGON.EXE — Windows Logon Process No parent process Could have a child process of LogonUI if smartcard, etc. are used to authenticate LogonUI will terminate once the user enters their password. Once password is entered the verification is sent over to LSASS and it’s verified via Active Directory or SAM (the registry hive SAM), which stores local users and group information. Base Priority of 13 Runs within session one Handles interactive user logons/logoffs when SAS keystroke combination is entered (Ctrl+Alt+Delete) Loads Userinit within Software\Microsoft\Windows NT\CurrentVersion\Winlogon The userinit value in the registry should be: Userinit.exe, (note the comma). Malware will sometimes add additional values to this key, which will load malware upon successful logons. Userinit.exe exits once it runs so you wont see this process running when you look. Userinit initializes the user environment. This includes running GPOs and logon scripts. Will run Shell value located at Software\Microsoft\Windows NT\CurrentVersion\Winlogon within the registry. The value of shell should be Explorer.exe. Malware will also use this sometimes to execute malware by adding values. Since Userinit exists this is also why Explorer.exe doesn’t have a parent process. Explorer.exe — AKA Windows Explorer No parent process since Userinit.exe exits The value “Explorer.exe” is stored in shell value within the registry. The registry location is here: Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Base Priority of 8 Username: The logged on user account. %Systemroot%\Explorer.exe This will contain multiple child processes. Some of you might know this better as, “Windows Explorer” This process is often targeted by malware. Malware will often times inject this process. One indication of this is if Explorer.exe is connecting out to the internet. There are other indicators, but that’s another post. We are keeping it simple here. Great, but Windows 10? However, this (great!) list needs some upgrades after the release of Windows 10. So, you can find some useful information on this post on forensicsfocus.com: Some highlights: System still has the PID 4 and is the parent of the Windows Session Manager. I will also mention that it still resides at %systemroot%\system32. All services are started from executable files from their former locations There are still two Client Server Runtime Processes (csrss.exe), one of which has the same parent as wininit.exe from an ended smss.exe process. The super-process winit.exe spawns services.exe, lsass.exe and the invisible lsm.exe process to start the Local Session Manager. Starting from Windows 8, lsm.exe is started inside a Service Host process from svchost.exe from the command line %systemroot%\system32\svchost.exe -k DcomLaunch. The WinLogon Service, which is responsible for Interactive Logons on a Windows Operating System, remains where it has always been for Session 1 and is started for every interactive user session. Microsoft has renamed the Host Process for Windows Tasks again. In Windows 7 it was named taskhost.exe, in Windows 8 it was called taskhostex.exe and the new name is taskhostw.exe in Windows 10. The primary purpose, serving as a generic “Host Process”, remains unchanged, as does the location in %systemroot%\system32. The Console Windows Host conhost.exe has been running as a child of cmd.exe since Windows 8, and not as a child of csrss.exe as it was in Windows 7. The executable file for Pathping is a child of cmd.exe in the same way conhost.exe is. There is no longer any separation of conhost.exe under the user’s own Client Server Runtime Service csrss.exe and the cmd.exe process under explorer.exe. The new Microsoft Edge web browser, the successor of Internet Explorer. Microsoft Edge starts four processes: Two processes named MicrosoftEdgeCP.exe, started from C:\Windows\SystemApps with the permission of the current user. Microsoft Edge starts with two of them for the first visible tab inside the browser window. Both are child processes of RuntimeBroker.exe, which is a child of svchost.exe, the Host Process for Windows Services. Runtime Broker starts automatically with the Operating System. A new MicrosoftEdge process is started under the Runtime Broker Service for every new tab that is opened by the browser. Microsoft is also introducing the new path %systemroot%\SystemApps and starting a web browser as a sub-child of svchost.exe, which breaks traditions in the process design. Directly spawned from svchost.exe is the process MicrosoftEdge.exe (without “CP” at the end of the file name). This is the main browser application process. And again, the executable file is saved in a subfolder of C:\Windows\SystemApps. The Host Process svchost.exe starts a fourth executable file called browser_broker.exe. This time Microsoft is following its own design traditions and has stored the file in the well-known path %systemroot%\system32. References Know your Windows Processes or Die Trying Standard Processes in Windows 10

  
  Read More

• Elastic Security Labs steps through the r77 rootkit — Elastic Security Labs

  

  Elastic Security Labs explores a campaign leveraging the r77 rootkit and has been observed deploying the XMRIG crypto miner. The research highlights the different modules of the rootkit and how they’re used to deploy additional malicious payloads.

  
  Read More

Related rules

• Bypass UAC via Event Viewer
• Persistence via TelemetryController Scheduled Task Hijack
• Privilege Escalation via Named Pipe Impersonation
• UAC Bypass Attempt via Windows Directory Masquerading
• UAC Bypass via DiskCleanup Scheduled Task Hijack