Unusual Parent-Child Relationship Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

This detection identifies Windows programs executed with unexpected parent processes, which may indicate masquerading, process injection, or other anomalous behavior. The detection logic focuses on deviations from established parent-child process relationships within the Windows operating system. This rule leverages data from multiple sources, including Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs, to enhance detection coverage. This is important for defenders as unusual parent-child process relationships can be indicative of various malicious activities, including privilege escalation and defense evasion techniques employed by threat actors. The rule aims to provide early detection of potentially malicious activities by identifying deviations from the expected process execution patterns.

Attack Chain

The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
The attacker executes a malicious payload that attempts to masquerade as a legitimate process.
The malicious process is launched with an unexpected parent process, deviating from normal Windows process relationships. For example, autochk.exe running without smss.exe as its parent.
The malicious process attempts to inject code into other processes for privilege escalation or defense evasion, leveraging techniques like process hollowing.
The injected code gains elevated privileges, allowing the attacker to perform sensitive actions on the system.
The attacker uses the elevated privileges to move laterally within the network, compromising additional systems.
The attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys.
The attacker achieves their final objective, such as data exfiltration or deploying ransomware.

Impact

A successful attack exploiting unusual parent-child relationships can lead to privilege escalation, allowing attackers to gain control of the compromised system. This can result in data breaches, system downtime, and financial losses. The rule aims to mitigate these risks by detecting suspicious process executions early in the attack chain. While the exact number of potential victims and sectors targeted is not explicitly mentioned, the broad applicability of Windows systems makes this a widespread threat.

Recommendation

Deploy the provided Sigma rules to your SIEM and tune for your environment to detect unusual parent-child process relationships (see rules section).
Enable process creation logging with command line arguments in your Windows environment using Sysmon or Windows Security Event Logs to ensure the necessary data is available for detection.
Investigate and baseline common parent-child process relationships in your environment to reduce false positives.
Integrate your SIEM with threat intelligence feeds to identify known malicious processes and their associated parent processes.
Configure endpoint detection and response (EDR) solutions like Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne to collect and analyze process execution data (see setup section in the source URL).
Refer to the investigation guide linked in the source URL to triage alerts related to unusual parent-child process relationships.

Windows Privilege Escalation via Secondary Logon Service

hello@craftedsignal.io — Tue, 02 Jan 2024 10:00:00 +0000

The Secondary Logon service in Windows allows users to run processes with different credentials, which can be abused to escalate privileges and bypass access controls. This technique involves an adversary successfully authenticating via the seclogon service, typically from the local host, then spawning a new process under the context of this newly acquired, potentially elevated, token. The detection focuses on identifying successful seclogon authentications where the source IP is the loopback address (::1), tied to subsequent process creations sharing the same logon ID. This is a common method for local privilege escalation.

Attack Chain

An attacker gains initial access to a Windows system through various means.
The attacker attempts to leverage the Secondary Logon service (seclogon) to create a new process with elevated privileges.
A successful logon event is generated, with the LogonProcessName indicating “seclogo*” and source IP address of “::1”, and event ID indicating a successful login.
svchost.exe is used as the process responsible for calling seclogon.
The system assigns a TargetLogonId to the new logon session.
The attacker creates a new process, specifying the TargetLogonId obtained from the previous step.
The new process is launched with the security context of the alternate credentials, potentially granting the attacker elevated privileges.
The attacker performs malicious actions using the newly elevated privileges, such as accessing sensitive data or installing malware.

Impact

Successful exploitation allows attackers to perform actions with elevated privileges, potentially leading to complete system compromise. An attacker can bypass access controls and gain unauthorized access to sensitive resources. If successful, this can lead to data theft, system compromise, or the installation of persistent backdoors.

Recommendation

Enable Audit Logon to generate the events required for the rules in this brief (reference: Setup section in the source).
Deploy the “Process Creation via Secondary Logon” Sigma rule to your SIEM and tune for your environment to detect potential privilege escalation attempts (reference: Sigma rules below).
Monitor for svchost.exe processes initiating secondary logon events from the local loopback address (::1) as an indicator of local privilege escalation.

Access-Token-Manipulation — CraftedSignal Threat Feed

Unusual Parent-Child Relationship Detection

Attack Chain

Impact

Recommendation

Windows Privilege Escalation via Secondary Logon Service

Attack Chain

Impact

Recommendation