Process Spawn Analysis
Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.
How it works
Process attributes are established when an operating system spawns a new process. These attributes are analyzed to look for the presence or absence of specific values or patterns.
Some attributes of interest are:
- process name
- image path
- security content
- Attackers can spoof the parent process identifier (PPID), which could bypass this defense to allow execution of a malicious process from an arbitrary parent process.
- Attackers could have legitimately compromised any of the process properties, such as the user, to make the execution appear legitimate.
- Location: If the full image path is not checked, there could be a conflict with an executable that appears earlier due to resolution involving the system environment path/classpath variable.
- Parsing issues: If the raw command from a shell is analyzed, rather than the actual function call, it is important to identify the actual command being run from its arguments. In Windows, services with unquoted file paths containing spaces will try to use the first token as the executable and the rest as arguments -- and shift tokens to the executable until a valid one is found.
- Some operating systems can spawn processes without forking.
There are 2 countermeasure techniques in this category, Process Spawn Analysis.
|Process Spawn Analysis||D3-PSA||Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.|
|- Process Lineage Analysis||D3-PLA||Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.||Process Tree Analysis|