A newer version is available. For the latest information, see the current release documentation.
« Unusual Network Connection via RunDLL32 Unusual Process Execution - Temp »
Elastic Docs SIEM Guide [7.6] Detections (Beta) Prebuilt rule reference

Unusual Parent-Child Relationship

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Unusual Parent-Child Relationship

edit

Identifies Windows programs run by unexpected parent processes. This could indicate masquerading or other strange activity on a system.

Rule indices:

  • winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

  • Elastic
  • Windows

Rule version: 1

Added (Elastic Stack release): 7.6.0

Rule query

edit
event.action:"Process Create (rule: ProcessCreate)" and
process.parent.executable:* and ( (process.name:"smss.exe" and
not process.parent.name:("System" or "smss.exe")) or
(process.name:"csrss.exe" and not process.parent.name:("smss.exe" or
"svchost.exe")) or (process.name:"wininit.exe" and not
process.parent.name:"smss.exe") or (process.name:"winlogon.exe"
and not process.parent.name:"smss.exe") or
(process.name:"lsass.exe" and not process.parent.name:"wininit.exe")
or (process.name:"LogonUI.exe" and not
process.parent.name:("winlogon.exe" or "wininit.exe")) or
(process.name:"services.exe" and not
process.parent.name:"wininit.exe") or
(process.name:"svchost.exe" and not
process.parent.name:("services.exe" or "MsMpEng.exe")) or
(process.name:"spoolsv.exe" and not
process.parent.name:"services.exe") or
(process.name:"taskhost.exe" and not
process.parent.name:("services.exe" or "svchost.exe")) or
(process.name:"taskhostw.exe" and not
process.parent.name:("services.exe" or "svchost.exe")) or
(process.name:"userinit.exe" and not process.parent.name:("dwm.exe" or
"winlogon.exe")) )

Threat mapping

edit

Framework: MITRE ATT&CKTM

« Unusual Network Connection via RunDLL32 Unusual Process Execution - Temp »