Process Spawn Analysis
Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.
How it works
Process attributes are established when an operating system spawns a new process. These attributes are analyzed to look for the presence or absence of specific values or patterns.
Some attributes of interest are:
- process name
- image path
- security content
- Attackers can spoof the parent process identifier (PPID), which could bypass this defense to allow execution of a malicious process from an arbitrary parent process.
- Attackers could have legitimately compromised any of the process properties, such as the user, to make the execution appear legitimate.
- Location: If the full image path is not checked, there could be a conflict with an executable that appears earlier due to resolution involving the system environment path/classpath variable.
- Parsing issues: If the raw command from a shell is analyzed, rather than the actual function call, it is important to identify the actual command being run from its arguments. In Windows, services with unquoted file paths containing spaces will try to use the first token as the executable and the rest as arguments -- and shift tokens to the executable until a valid one is found.
- Some operating systems can spawn processes without forking.
There are 2 countermeasure techniques in this category, Process Spawn Analysis.
|Process Spawn Analysis||D3-PSA||Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.|
|- Process Lineage Analysis||D3-PLA||Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.||Process Tree Analysis|
The following references were used to develop the Process Spawn Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
CAR-2019-08-002: Active Directory Dumping via NTDSUtil
CAR-2013-07-005: Command Line Usage of Archiving Software
CAR-2016-03-002: Create Remote Process via WMIC
CAR-2019-04-004: Credential Dumping via Mimikatz
CAR-2016-03-001: Host Discovery Commands
CAR-2019-07-002: Lsass Process Dump via Procdump
CAR-2014-04-003: Powershell Execution
CAR-2020-04-001: Shadow Copy Deletion
CAR-2020-05-003: Rare LolBAS Command Lines
CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities
CAR-2020-09-003: Indicator Blocking - Driver Unloaded
CAR-2020-09-004: Credentials in Files & Registry
CAR-2020-11-001: Boot or Logon Initialization Scripts
CAR-2020-11-003: DLL Injection with Mavinject
CAR-2020-11-005: Clear Powershell Console Command History
CAR-2020-11-006: Local Permission Group Discovery
CAR-2020-11-007: Network Share Connection Removal
CAR-2020-11-008: MSBuild and msxsl
CAR-2020-11-009: Compiled HTML Access
CAR-2021-01-002: Unusually Long Command Line Strings
CAR-2021-01-003: Clearing Windows Logs with Wevtutil
CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe
CAR-2021-01-006: Unusual Child Process spawned using DDE exploit
CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt