Unusual Parent-Child Relationship

edit

Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation

Version: 11 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 8.2.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit
## Config

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.

Rule query

edit
process where event.type in ("start", "process_started") and
process.parent.name != null and ( /* suspicious parent processes
*/ (process.name:"autochk.exe" and not
process.parent.name:"smss.exe") or
(process.name:("fontdrvhost.exe", "dwm.exe") and not
process.parent.name:("wininit.exe", "winlogon.exe")) or
(process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and
not process.parent.name:"svchost.exe") or
(process.name:"SearchIndexer.exe" and not
process.parent.name:"services.exe") or
(process.name:"SearchProtocolHost.exe" and not
process.parent.name:("SearchIndexer.exe", "dllhost.exe")) or
(process.name:"dllhost.exe" and not
process.parent.name:("services.exe", "svchost.exe")) or
(process.name:"smss.exe" and not process.parent.name:("System",
"smss.exe")) or (process.name:"csrss.exe" and not
process.parent.name:("smss.exe", "svchost.exe")) or
(process.name:"wininit.exe" and not process.parent.name:"smss.exe") or
(process.name:"winlogon.exe" and not process.parent.name:"smss.exe")
or (process.name:("lsass.exe", "LsaIso.exe") and not
process.parent.name:"wininit.exe") or (process.name:"LogonUI.exe"
and not process.parent.name:("wininit.exe", "winlogon.exe")) or
(process.name:"services.exe" and not
process.parent.name:"wininit.exe") or (process.name:"svchost.exe"
and not process.parent.name:("MsMpEng.exe", "services.exe")) or
(process.name:"spoolsv.exe" and not
process.parent.name:"services.exe") or (process.name:"taskhost.exe"
and not process.parent.name:("services.exe", "svchost.exe")) or
(process.name:"taskhostw.exe" and not
process.parent.name:("services.exe", "svchost.exe")) or
(process.name:"userinit.exe" and not process.parent.name:("dwm.exe",
"winlogon.exe")) or (process.name:("wmiprvse.exe",
"wsmprovhost.exe", "winrshost.exe") and not
process.parent.name:"svchost.exe") or /* suspicious child processes
*/ (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe",
"csrss.exe") and not process.name:("werfault.exe", "wermgr.exe",
"WerFaultSecure.exe")) or (process.parent.name:"autochk.exe" and
not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or
(process.parent.name:"smss.exe" and not process.name:("autochk.exe",
"smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe",
"WerFault.exe")) or (process.parent.name:"wermgr.exe" and not
process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or
(process.parent.name:"conhost.exe" and not
process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe",
"WerFaultSecure.exe")) )

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 11 (8.2.0 release)
  • Formatting only
Version 10 (7.16.0 release)
  • Formatting only
Version 9 (7.15.0 release)
  • Formatting only
Version 8 (7.12.0 release)
  • Formatting only
Version 7 (7.11.2 release)
  • Formatting only
Version 6 (7.11.0 release)
  • Updated query, changed from:

    event.category:process and event.type:(start or process_started) and
    process.parent.executable:* and (process.parent.name:autochk.exe and
    not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or
    process.parent.name:smss.exe and not process.name:(autochk.exe or
    smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe)
    or process.name:autochk.exe and not process.parent.name:smss.exe or
    process.name:(fontdrvhost.exe or dwm.exe) and not
    process.parent.name:(wininit.exe or winlogon.exe) or
    process.name:(consent.exe or RuntimeBroker.exe or TiWorker.exe) and
    not process.parent.name:svchost.exe or process.name:wermgr.exe and not
    process.parent.name:(svchost.exe or TiWorker.exe) or
    process.name:SearchIndexer.exe and not
    process.parent.name:services.exe or
    process.name:SearchProtocolHost.exe and not
    process.parent.name:(SearchIndexer.exe or dllhost.exe) or
    process.name:dllhost.exe and not process.parent.name:(services.exe or
    svchost.exe) or process.name:smss.exe and not
    process.parent.name:(System or smss.exe) or process.name:csrss.exe and
    not process.parent.name:(smss.exe or svchost.exe) or
    process.name:wininit.exe and not process.parent.name:smss.exe or
    process.name:winlogon.exe and not process.parent.name:smss.exe or
    process.name:(lsass.exe or LsaIso.exe) and not
    process.parent.name:wininit.exe or process.name:LogonUI.exe and not
    process.parent.name:(wininit.exe or winlogon.exe) or
    process.name:services.exe and not process.parent.name:wininit.exe or
    process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or
    services.exe) or process.name:spoolsv.exe and not
    process.parent.name:services.exe or process.name:taskhost.exe and not
    process.parent.name:(services.exe or svchost.exe) or
    process.name:taskhostw.exe and not process.parent.name:(services.exe
    or svchost.exe) or process.name:userinit.exe and not
    process.parent.name:(dwm.exe or winlogon.exe))
Version 5 (7.10.0 release)
  • Updated query, changed from:

    event.category:process and event.type:(start or process_started) and
    process.parent.executable:* and (process.name:smss.exe and not
    process.parent.name:(System or smss.exe) or process.name:csrss.exe and
    not process.parent.name:(smss.exe or svchost.exe) or
    process.name:wininit.exe and not process.parent.name:smss.exe or
    process.name:winlogon.exe and not process.parent.name:smss.exe or
    process.name:lsass.exe and not process.parent.name:wininit.exe or
    process.name:LogonUI.exe and not process.parent.name:(wininit.exe or
    winlogon.exe) or process.name:services.exe and not
    process.parent.name:wininit.exe or process.name:svchost.exe and not
    process.parent.name:(MsMpEng.exe or services.exe) or
    process.name:spoolsv.exe and not process.parent.name:services.exe or
    process.name:taskhost.exe and not process.parent.name:(services.exe or
    svchost.exe) or process.name:taskhostw.exe and not
    process.parent.name:(services.exe or svchost.exe) or
    process.name:userinit.exe and not process.parent.name:(dwm.exe or
    winlogon.exe))
Version 4 (7.9.1 release)
  • Formatting only
Version 3 (7.9.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    process.parent.executable:* and (process.name:smss.exe and not
    process.parent.name:(System or smss.exe) or process.name:csrss.exe and
    not process.parent.name:(smss.exe or svchost.exe) or
    process.name:wininit.exe and not process.parent.name:smss.exe or
    process.name:winlogon.exe and not process.parent.name:smss.exe or
    process.name:lsass.exe and not process.parent.name:wininit.exe or
    process.name:LogonUI.exe and not process.parent.name:(wininit.exe or
    winlogon.exe) or process.name:services.exe and not
    process.parent.name:wininit.exe or process.name:svchost.exe and not
    process.parent.name:(MsMpEng.exe or services.exe) or
    process.name:spoolsv.exe and not process.parent.name:services.exe or
    process.name:taskhost.exe and not process.parent.name:(services.exe or
    svchost.exe) or process.name:taskhostw.exe and not
    process.parent.name:(services.exe or svchost.exe) or
    process.name:userinit.exe and not process.parent.name:(dwm.exe or
    winlogon.exe))
Version 2 (7.7.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    process.parent.executable:* and ( (process.name:"smss.exe" and not
    process.parent.name:("System" or "smss.exe")) or
    (process.name:"csrss.exe" and not process.parent.name:("smss.exe" or
    "svchost.exe")) or (process.name:"wininit.exe" and not
    process.parent.name:"smss.exe") or (process.name:"winlogon.exe" and
    not process.parent.name:"smss.exe") or (process.name:"lsass.exe" and
    not process.parent.name:"wininit.exe") or (process.name:"LogonUI.exe"
    and not process.parent.name:("winlogon.exe" or "wininit.exe")) or
    (process.name:"services.exe" and not
    process.parent.name:"wininit.exe") or (process.name:"svchost.exe" and
    not process.parent.name:("services.exe" or "MsMpEng.exe")) or
    (process.name:"spoolsv.exe" and not
    process.parent.name:"services.exe") or (process.name:"taskhost.exe"
    and not process.parent.name:("services.exe" or "svchost.exe")) or
    (process.name:"taskhostw.exe" and not
    process.parent.name:("services.exe" or "svchost.exe")) or
    (process.name:"userinit.exe" and not process.parent.name:("dwm.exe" or
    "winlogon.exe")) )