Search:

Unusual Parent-Child Relationship

Inspired by Elastic prebuilt rule reference, you can write you own query to identify Windows programs run from unexpected parent processes.

Unexpected parent processes often happens in scenarios involving process escalation (TA0004).

Query

SQL

select distinct p.processId , p.processName , p.parentProcessName , p.parentProcessId  from `Processes/processObject` as p 
  where (p.parentProcessName NOT IN ('System','smss.exe')  and p.processName = 'smss.exe') 
    or (p.parentProcessName NOT IN ('smss.exe','svchost.exe')  and p.processName = 'csrss.exe') 
    or (p.parentProcessName NOT IN ('smss.exe')  and p.processName = 'wininit.exe') 
    or (p.parentProcessName NOT IN ('smss.exe')  and p.processName = 'winlogon.exe') 
    or (p.parentProcessName NOT IN ('wininit.exe')  and p.processName = 'lsass.exe') 
    or (p.parentProcessName NOT IN ('winlogon.exe','wininit.exe')  and p.processName = 'LogonUI.exe') 
    or (p.parentProcessName NOT IN ('wininit.exe')  and p.processName = 'services.exe') 
    or (p.parentProcessName NOT IN ('services.exe','MsMpEng.exe')  and p.processName = 'svchost.exe') 
    or (p.parentProcessName NOT IN ('services.exe','MsMpEng.exe')  and p.processName = 'spoolsv.exe') 
    or (p.parentProcessName NOT IN ('services.exe','svchost.exe')  and p.processName = 'taskhost.exe') 
    or (p.parentProcessName NOT IN ('services.exe','svchost.exe')  and p.processName = 'taskhostw.exe') 
    or (p.parentProcessName NOT IN ('dwm.exe','winlogon.exe')  and p.processName = 'userinit.exe')
limit 50 offset 0

GraphQL

   processObject(query: [
    {
      processName: { is: "smss.exe" },
      parentProcessName: { notIn: ["System", "smss.exe"] }
    },
    {
      processName: { is: "csrss.exe" },
      parentProcessName: { notIn: ["smss.exe", "svchost.exe"] }
    },
    {
      processName: { is: "wininit.exe" },
      parentProcessName: { notIn: ["smss.exe"] }
    },
    {
      processName: { is: "winlogon.exe" },
      parentProcessName: { notIn: ["smss.exe"] }
    },
    {
      processName: { is: "lsass.exe" },
      parentProcessName: { notIn: ["wininit.exe"] }
    },
    {
      processName: { is: "LogonUI.exe" },
      parentProcessName: { notIn: ["winlogon.exe", "wininit.exe"] }
    },
    {
      processName: { is: "services.exe" },
      parentProcessName: { notIn: ["wininit.exe"] }
    },
    {
      processName: { is: "svchost.exe" },
      parentProcessName: { notIn: ["services.exe", "MsMpEng.exe"] }
    },
    {
      processName: { is: "spoolsv.exe" },
      parentProcessName: { notIn: ["services.exe", "MsMpEng.exe"] }
    },
    {
      processName: { is: "taskhost.exe" },
      parentProcessName: { notIn: ["services.exe", "svchost.exe"] }
    },
    {
      processName: { is: "taskhostw.exe" },
      parentProcessName: { notIn: ["services.exe", "svchost.exe"] }
    },
    {
      processName: { is: "userinit.exe" },
      parentProcessName: { notIn: ["dwm.exe", "winlogon.exe"] }
    },
  ]) {
    processId
    processName
    parentProcessName
    parentProcessId
  }

MITRE ATT&CK Mapping