Process Lineage Analysis
Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.Synonyms: Process Tree Analysis .
How it works
Process tree analysis techniques gather information on how a process was initiated to determine if a process is malicious. For example, if a process was not initiated from boot or not initiated by another process, that process is identified as suspicious. Also, if a new process was started before a process initiated by the device (ex. during boot) and that new process was not initiated by a user (which can be determined by examining process parameters such as type of process, its creator, source, etc.) the process is identified as suspicious.
For example, Microsoft Word may block execution of any subprocess that is not in an approved path.
- Attackers may spoof the parent PID (https://attack.mitre.org/techniques/T1502/), rendering such after-the-fact analysis on process lineage ineffective.
- Processes may hide from various means of detection; an example on Linux is where a rootkit might remove key files for the process from its directory in /proc.
- Zombie processes.
CAR-2013-04-002: Quick execution of a series of suspicious commands
CAR-2013-05-002: Suspicious Run Locations
CAR-2013-09-005: Service Outlier Executables
CAR-2014-11-002: Outlier Parents of Cmd
CAR-2014-11-008: Command Launched from WinLogon
CAR-2014-12-001: Remotely Launched Executables via WMI
CAR-2019-04-001: UAC Bypass
CAR-2019-04-002: Generic Regsvr32
CAR-2019-08-001: Credential Dumping via Windows Task Manager
System and methods thereof for causality identification and attributions determination of processes in a network
This patent describes detecting malicious processes on a host. Agents are deployed on hosts that monitor all initiated processes and determine whether a process was initiated at boot or initiated by another process. If not initiated at boot or by another process, the process is identified as suspicious and an alert is triggered.
System and methods thereof for identification of suspicious system processes
The patent describes detecting malicious processes by identifying the order of process initiation. The start of a user initiated process (user query, opening an application, etc.) is compared with the start of processes initiated by the device (ex. during boot). In addition, a determination is made on whether processes are not initiated by a user by examining process parameters such as type of process, its creator, source, etc. If it is determined that a user initiated process was started before a process initiated by the device and a process was not initiated by the user, the process is marked as suspicious.