Esc

Process Spawn Analysis

D3-PSA
D3-PSA (Process Spawn Analysis)

Definition

Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.

How it works

Process attributes are established when an operating system spawns a new process. These attributes are analyzed to look for the presence or absence of specific values or patterns.

Some attributes of interest are:

  • user
  • process name
  • image path
  • security content

Considerations

  • Attackers can spoof the parent process identifier (PPID), which could bypass this defense to allow execution of a malicious process from an arbitrary parent process.
  • Attackers could have legitimately compromised any of the process properties, such as the user, to make the execution appear legitimate.
  • Location: If the full image path is not checked, there could be a conflict with an executable that appears earlier due to resolution involving the system environment path/classpath variable.
  • Parsing issues: If the raw command from a shell is analyzed, rather than the actual function call, it is important to identify the actual command being run from its arguments. In Windows, services with unquoted file paths containing spaces will try to use the first token as the executable and the rest as arguments -- and shift tokens to the executable until a valid one is found.
  • Some operating systems can spawn processes without forking.

Artifact Relationships:

This defensive technique is related to specific artifacts. Click the artifact node for more information.
json

Technique Subclasses

There are 2 techniques in this category, Process Spawn Analysis.

NameIDDefinitionSynonyms
Process Spawn AnalysisD3-PSAAnalyzing spawn arguments or attributes of a process to detect processes that are unauthorized.
- Process Lineage AnalysisD3-PLAIdentification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors. Process Tree Analysis

Related ATT&CK Techniques:

These mappings are inferred, experimental, and will improve as the knowledge graph grows.

These offensive techniques are determined related because of the way this defensive technique,, , , and .

Lateral Movement
Use Alternate Authentication Material
Privilege Escalation
Abuse Elevation Control Mechanism
Bypass User Account Control
Access Token Manipulation
Parent PID Spoofing
Event Triggered Execution
Netsh Helper DLL
AppInit DLLs
AppCert DLLs
Scheduled Task/Job
Scheduled Task
Process Injection
Asynchronous Procedure Call
Process Doppelgänging
Discovery
System Network Configuration Discovery
Application Window Discovery
System Service Discovery
System Information Discovery
Remote System Discovery
System Owner/User Discovery
System Time Discovery
Process Discovery
Persistence
Event Triggered Execution
Netsh Helper DLL
AppInit DLLs
AppCert DLLs
Server Software Component
Transport Agent
Web Shell
SQL Stored Procedures
Scheduled Task/Job
Scheduled Task
Modify Authentication Process
Execution
Windows Management Instrumentation
Scheduled Task/Job
Scheduled Task
Credential Access
Exploitation for Credential Access
OS Credential Dumping
LSASS Memory
LSA Secrets
Security Account Manager
Multi-Factor Authentication Request Generation
Modify Authentication Process
Defense Evasion
Abuse Elevation Control Mechanism
Bypass User Account Control
System Binary Proxy Execution
Control Panel
Compiled HTML File
Mshta
Rundll32
CMSTP
Access Token Manipulation
Parent PID Spoofing
Use Alternate Authentication Material
Deobfuscate/Decode Files or Information
Process Injection
Asynchronous Procedure Call
Process Doppelgänging
Impair Defenses
Disable or Modify Tools
Modify Authentication Process
XSL Script Processing

References

All
External Knowledge Base

The following references were used to develop the Process Spawn Analysis knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

CAR-2019-08-002: Active Directory Dumping via NTDSUtil

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2019-08-002/

CAR-2020-04-001: Shadow Copy Deletion

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-04-001/

CAR-2020-05-003: Rare LolBAS Command Lines

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-05-003/

CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-08-001/

CAR-2020-09-003: Indicator Blocking - Driver Unloaded

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-09-003/

CAR-2020-09-004: Credentials in Files & Registry

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-09-004/

CAR-2020-11-001: Boot or Logon Initialization Scripts

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-11-001/

CAR-2020-11-003: DLL Injection with Mavinject

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-11-003/

CAR-2020-11-005: Clear Powershell Console Command History

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-11-005/

CAR-2020-11-006: Local Permission Group Discovery

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-11-006/

CAR-2020-11-007: Network Share Connection Removal

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-11-007/

CAR-2020-11-008: MSBuild and msxsl

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-11-008/

CAR-2020-11-009: Compiled HTML Access

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2020-11-009/

CAR-2021-01-002: Unusually Long Command Line Strings

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-01-002/

CAR-2021-01-003: Clearing Windows Logs with Wevtutil

Reference Type: External Knowledge Base Organization: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-01-003/

CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-01-004/

CAR-2021-01-006: Unusual Child Process spawned using DDE exploit

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-01-006/

CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt

MITRE Comments

d

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-01-007/

CAR-2021-01-008: Disable UAC

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-01-008/

CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-01-009/

CAR-2021-02-001: Webshell-Indicative Process Tree

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-02-001/

CAR-2021-04-001: Common Windows Process Masquerading

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-04-001/

CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-05-001/

CAR-2021-05-002: Batch File Write to System32

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-05-002/

CAR-2021-05-003: BCDEdit Failure Recovery Modification

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-05-003/

CAR-2021-05-004: BITS Job Persistence

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-05-004/

CAR-2021-05-005: BITSAdmin Download File

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-05-005/

CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-05-006/

CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments

Reference Type: External Knowledge Base
Source:
https://car.mitre.org/analytics/CAR-2021-05-007/

CAR-2021-05-008: Certutil exe certificate extraction

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-05-008/

CAR-2021-05-009: CertUtil With Decode Argument

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-05-009/

CAR-2021-05-010: Create local admin accounts using net exe

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2021-05-010/

CAR-2013-07-005: Command Line Usage of Archiving Software

Reference Type: External Knowledge Base
Source:
https://car.mitre.org/analytics/CAR-2013-07-005/

CAR-2016-03-002: Create Remote Process via WMIC

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2016-03-002/

CAR-2019-04-004: Credential Dumping via Mimikatz

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2019-04-004/

CAR-2016-03-001: Host Discovery Commands

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2016-03-001/

CAR-2019-07-002: Lsass Process Dump via Procdump

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2019-07-002/

CAR-2014-04-003: Powershell Execution

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2014-04-003/

CAR-2014-03-006: RunDLL32.exe monitoring

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2014-03-006/

CAR-2019-04-003: Squiblydoo

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source:
https://car.mitre.org/analytics/CAR-2019-04-003/

CAR-2013-07-001: Suspicious Arguments

Reference Type: External Knowledge Base
Source:
https://car.mitre.org/analytics/CAR-2013-07-001/

CAR-2013-05-002: Suspicious Run Locations

Reference Type: External Knowledge Base
Source:
https://car.mitre.org/analytics/CAR-2013-05-002/

D3FEND

A knowledge graph of cybersecurity countermeasures
1.4.0
Model
Model
+
Asset Inventory
Asset Vulnerability Enumeration
Container Image Analysis
Configuration Inventory
Data Inventory
Hardware Component Inventory
Network Node Inventory
Software Inventory
Network Mapping
Logical Link Mapping
Active Logical Link Mapping
Passive Logical Link Mapping
Network Traffic Policy Mapping
Network Vulnerability Assessment
Physical Link Mapping
Active Physical Link Mapping
Direct Physical Link Mapping
Operational Activity Mapping
Access Modeling
Operational Dependency Mapping
Operational Risk Assessment
Organization Mapping
System Mapping
Data Exchange Mapping
Service Dependency Mapping
System Dependency Mapping
System Vulnerability Assessment
Harden
Harden
+
Agent Authentication
Biometric Authentication
Certificate-based Authentication
Multi-factor Authentication
Password Authentication
Token-based Authentication
Application Hardening
Application Configuration Hardening
Control Flow Integrity
Dead Code Elimination
Exception Handler Pointer Validation
Pointer Authentication
Process Segment Execution Prevention
Segment Address Offset Randomization
Stack Frame Canary Validation
Credential Hardening
Certificate Pinning
Credential Rotation
Certificate Rotation
Password Rotation
One-time Password
Strong Password Policy
Change Default Password
Token Binding
Message Hardening
Message Authentication
Bus Message Authentication
Message Encryption
Transfer Agent Authentication
Platform Hardening
Bootloader Authentication
Disk Encryption
Driver Load Integrity Checking
File Encryption
Hardware-based Write Protection
Physical Enclosure Hardening
Radiation Hardening
Electromagnetic Radiation Hardening
RF Shielding
Software Update
System Configuration Permissions
TPM Boot Integrity
Source Code Hardening
Credential Scrubbing
Domain Logic Validation
Operational Logic Validation
Integer Range Validation
Pointer Validation
Memory Block Start Validation
Null Pointer Checking
Reference Nullification
Trusted Library
Variable Initialization
Variable Type Validation
Detect
Detect
+
File Analysis
Dynamic Analysis
Emulated File Analysis
File Content Analysis
File Content Rules
File Hashing
Identifier Analysis
Homoglyph Detection
Identifier Activity Analysis
Identifier Reputation Analysis
Domain Name Reputation Analysis
File Hash Reputation Analysis
IP Reputation Analysis
URL Reputation Analysis
URL Analysis
Message Analysis
Sender MTA Reputation Analysis
Sender Reputation Analysis
Network Traffic Analysis
Administrative Network Activity Analysis
Application Protocol Command Analysis
Remote Firmware Update Monitoring
Byte Sequence Emulation
Certificate Analysis
Active Certificate Analysis
Passive Certificate Analysis
Client-server Payload Profiling
Connection Attempt Analysis
DNS Traffic Analysis
File Carving
Inbound Session Volume Analysis
IPC Traffic Analysis
Network Traffic Community Deviation
Network Traffic Signature Analysis
Per Host Download-Upload Ratio Analysis
Protocol Metadata Anomaly Detection
Relay Pattern Analysis
Remote Terminal Session Detection
RPC Traffic Analysis
Physical Access Monitoring
Electronic Lock Monitoring
Motion Sensor Monitoring
Proximity Sensor Monitoring
Video Surveillance
Platform Monitoring
Application Performance Monitoring
Application Exception Monitoring
File Integrity Monitoring
Firmware Behavior Analysis
Firmware Embedded Monitoring Code
Firmware Verification
Peripheral Firmware Verification
System Firmware Verification
Operating Mode Monitoring
Operating System Monitoring
Endpoint Health Beacon
Input Device Analysis
Memory Boundary Tracking
Scheduled Job Analysis
System Daemon Monitoring
System File Analysis
Service Binary Verification
System Init Config Analysis
User Session Init Config Analysis
Operational Process Monitoring
Platform Uptime Monitoring
Process Analysis
Database Query String Analysis
File Access Pattern Analysis
Indirect Branch Call Analysis
Process Code Segment Verification
Process Self-Modification Detection
Process Spawn Analysis
Process Lineage Analysis
Script Execution Analysis
Shadow Stack Comparisons
System Call Analysis
File Creation Analysis
User Behavior Analysis
Authentication Event Thresholding
Authorization Event Thresholding
Credential Compromise Scope Analysis
Domain Account Monitoring
Job Function Access Pattern Analysis
Local Account Monitoring
Resource Access Pattern Analysis
Session Duration Analysis
User Data Transfer Analysis
User Geolocation Logon Pattern Analysis
Web Session Activity Analysis
Isolate
Isolate
+
Access Mediation
Credential Transmission Scoping
IO Port Restriction
Network Access Mediation
LAN Access Mediation
Routing Access Mediation
Network Resource Access Mediation
Remote File Access Mediation
Web Session Access Mediation
Endpoint-based Web Server Access Mediation
Proxy-based Web Server Access Mediation
Operating Mode Restriction
OT Variable Access Restriction
Physical Access Mediation
Physical Locking
System Call Filtering
Local File Access Mediation
Access Policy Administration
Domain Trust Policy
Local File Permissions
User Account Permissions
User Group Permissions
Content Filtering
Content Modification
Content Excision
Content Format Conversion
Content Rebuild
Content Substitution
Content Quarantine
Content Validation
File Format Verification
File Content Decompression Checking
File Internal Structure Verification
File Metadata Consistency Validation
File Metadata Value Verification
File Magic Byte Verification
Execution Isolation
Application-based Process Isolation
Executable Allowlisting
Executable Denylisting
Hardware-based Process Isolation
Kernel-based Process Isolation
Network Isolation
Broadcast Domain Isolation
Directional Network Link
DNS Allowlisting
DNS Denylisting
Forward Resolution Domain Denylisting
Hierarchical Domain Denylisting
Homoglyph Denylisting
Forward Resolution IP Denylisting
Reverse Resolution IP Denylisting
Encrypted Tunnels
Network Traffic Filtering
Inbound Traffic Filtering
Email Filtering
Outbound Traffic Filtering
Deceive
Deceive
+
Decoy Environment
Connected Honeynet
Integrated Honeynet
Standalone Honeynet
Decoy Object
Decoy File
Decoy Network Resource
Decoy Persona
Decoy Public Release
Decoy Session Token
Decoy User Credential
Evict
Evict
+
Credential Eviction
Account Locking
Authentication Cache Invalidation
Credential Revocation
Object Eviction
Disk Formatting
Disk Erasure
Disk Partitioning
DNS Cache Eviction
Domain Registration Takedown
File Eviction
Email Removal
Registry Key Deletion
Process Eviction
Host Shutdown
Host Reboot
Process Suspension
Process Termination
Session Termination
Restore
Restore
+
Restore Access
Reissue Credential
Restore Network Access
Restore User Account Access
Unlock Account
Restore Object
Restore Configuration
Restore Database
Restore Disk Image
Restore File
Restore Email
Restore Software