Unusual Child Process from a System Virtual Process

This detection identifies unusual child processes spawned by the Windows virtual system process (PID 4). This activity is suspicious because the System process should typically only spawn specific, known system-level processes. Unexpected child processes could indicate code injection, process hollowing, or other defense evasion techniques. The rule specifically looks for processes where the parent PID is 4 and the executable name does not match expected system binaries (Registry, MemCompression, smss.exe, HotPatch). This rule uses data from Elastic Defend, Microsoft Defender XDR, SentinelOne, Sysmon, and Windows event logs, making it applicable across various environments. The rule focuses on Windows systems because PID 4 is specific to the Windows operating system.

Attack Chain

1. An attacker gains initial access to the system through an exploit or social engineering.
2. The attacker injects malicious code into a running process.
3. The injected code leverages the SYSTEM process (PID 4) to spawn a child process.
4. The child process is an unexpected or malicious binary, not typically associated with the SYSTEM process.
5. The malicious child process executes further actions, such as establishing persistence or escalating privileges.
6. The attacker uses the spawned process to perform lateral movement or data exfiltration.
7. The attacker attempts to evade detection by hiding within the SYSTEM process context.
8. The final objective is to compromise the system, steal data, or establish a persistent foothold.

Impact

A successful attack could lead to complete system compromise, data theft, or the installation of persistent malware. The attacker gains elevated privileges by leveraging the SYSTEM process, making detection and remediation more difficult. While the number of affected victims and sectors are not specified, this technique can be used in targeted attacks against high-value systems, potentially impacting critical infrastructure or sensitive data environments.

Recommendation

• Deploy the Sigma rule Unusual System Virtual Process Child Process to your SIEM to detect potential code injection and defense evasion attempts.
• Enable Sysmon process creation logging (Event ID 1) to ensure the required data is available for the Sigma rule.
• Investigate any alerts generated by the Sigma rule by examining the parent and child process relationships, binary identities, and process behaviors as outlined in the rule’s triage notes.
• Monitor process.executable, process.hash.sha256, process.pe.original_file_name, process.code_signature.subject_name to confirm the child binary identity and ensure it is consistent with the claimed system component.
• Review process.Ext.relative_file_creation_time, process.Ext.relative_file_name_modify_time, and process.Ext.created_suspended to identify potential file dropping, renaming, or hollowing techniques at process startup.