Esc
Process Spawn Analysis
Definition
Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.
How it works
Process attributes are established when an operating system spawns a new process. These attributes are analyzed to look for the presence or absence of specific values or patterns.
Some attributes of interest are:
- user
- process name
- image path
- security content
Considerations
- Attackers can spoof the parent process identifier (PPID), which could bypass this defense to allow execution of a malicious process from an arbitrary parent process.
- Attackers could have legitimately compromised any of the process properties, such as the user, to make the execution appear legitimate.
- Location: If the full image path is not checked, there could be a conflict with an executable that appears earlier due to resolution involving the system environment path/classpath variable.
- Parsing issues: If the raw command from a shell is analyzed, rather than the actual function call, it is important to identify the actual command being run from its arguments. In Windows, services with unquoted file paths containing spaces will try to use the first token as the executable and the rest as arguments -- and shift tokens to the executable until a valid one is found.
- Some operating systems can spawn processes without forking.
loading...
Technique Subclasses
There are 2 techniques in this category, Process Spawn Analysis.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Process Spawn Analysis | D3-PSA | Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized. | |
| - Process Lineage Analysis | D3-PLA | Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors. | Process Tree Analysis |
loading...
References
All
External Knowledge Base
The following references were used to develop the Process Spawn Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
CAR-2019-08-002: Active Directory Dumping via NTDSUtil
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-04-001: Shadow Copy Deletion
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-05-003: Rare LolBAS Command Lines
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-09-003: Indicator Blocking - Driver Unloaded
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-09-004: Credentials in Files & Registry
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-11-001: Boot or Logon Initialization Scripts
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-11-003: DLL Injection with Mavinject
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-11-005: Clear Powershell Console Command History
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-11-006: Local Permission Group Discovery
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-11-007: Network Share Connection Removal
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-11-008: MSBuild and msxsl
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2020-11-009: Compiled HTML Access
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-01-002: Unusually Long Command Line Strings
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-01-003: Clearing Windows Logs with Wevtutil
Reference Type: External Knowledge Base Organization: MITRE
CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-01-006: Unusual Child Process spawned using DDE exploit
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt
MITRE Comments
d
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-01-008: Disable UAC
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-02-001: Webshell-Indicative Process Tree
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-04-001: Common Windows Process Masquerading
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-05-002: Batch File Write to System32
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-05-003: BCDEdit Failure Recovery Modification
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-05-004: BITS Job Persistence
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-05-005: BITSAdmin Download File
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments
Reference Type: External Knowledge Base
CAR-2021-05-008: Certutil exe certificate extraction
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-05-009: CertUtil With Decode Argument
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2021-05-010: Create local admin accounts using net exe
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2013-07-005: Command Line Usage of Archiving Software
Reference Type: External Knowledge Base
CAR-2016-03-002: Create Remote Process via WMIC
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2019-04-004: Credential Dumping via Mimikatz
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2016-03-001: Host Discovery Commands
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2019-07-002: Lsass Process Dump via Procdump
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2014-04-003: Powershell Execution
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2014-03-006: RunDLL32.exe monitoring
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2019-04-003: Squiblydoo
Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
CAR-2013-07-001: Suspicious Arguments
Reference Type: External Knowledge Base
CAR-2013-05-002: Suspicious Run Locations
Reference Type: External Knowledge Base
D3FEND™
A knowledge graph of cybersecurity countermeasures