Unusual Parent-Child Relationship Detection

This detection identifies Windows programs executed with unexpected parent processes, which may indicate masquerading, process injection, or other anomalous behavior. The detection logic focuses on deviations from established parent-child process relationships within the Windows operating system. This rule leverages data from multiple sources, including Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs, to enhance detection coverage. This is important for defenders as unusual parent-child process relationships can be indicative of various malicious activities, including privilege escalation and defense evasion techniques employed by threat actors. The rule aims to provide early detection of potentially malicious activities by identifying deviations from the expected process execution patterns.

Attack Chain

1. The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
2. The attacker executes a malicious payload that attempts to masquerade as a legitimate process.
3. The malicious process is launched with an unexpected parent process, deviating from normal Windows process relationships. For example, autochk.exe running without smss.exe as its parent.
4. The malicious process attempts to inject code into other processes for privilege escalation or defense evasion, leveraging techniques like process hollowing.
5. The injected code gains elevated privileges, allowing the attacker to perform sensitive actions on the system.
6. The attacker uses the elevated privileges to move laterally within the network, compromising additional systems.
7. The attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys.
8. The attacker achieves their final objective, such as data exfiltration or deploying ransomware.

Impact

A successful attack exploiting unusual parent-child relationships can lead to privilege escalation, allowing attackers to gain control of the compromised system. This can result in data breaches, system downtime, and financial losses. The rule aims to mitigate these risks by detecting suspicious process executions early in the attack chain. While the exact number of potential victims and sectors targeted is not explicitly mentioned, the broad applicability of Windows systems makes this a widespread threat.

Recommendation

• Deploy the provided Sigma rules to your SIEM and tune for your environment to detect unusual parent-child process relationships (see rules section).
• Enable process creation logging with command line arguments in your Windows environment using Sysmon or Windows Security Event Logs to ensure the necessary data is available for detection.
• Investigate and baseline common parent-child process relationships in your environment to reduce false positives.
• Integrate your SIEM with threat intelligence feeds to identify known malicious processes and their associated parent processes.
• Configure endpoint detection and response (EDR) solutions like Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne to collect and analyze process execution data (see setup section in the source URL).
• Refer to the investigation guide linked in the source URL to triage alerts related to unusual parent-child process relationships.