Triage & Analysis of Alert - Investigating Suspicious and Unusual Parent-Child Relationships in Windows Processes

on

Investigating Suspicious and Unusual Parent-Child Relationships in Windows Processes

As cyber security threats continue to evolve, attackers are finding new ways to compromise systems and steal sensitive information. One common technique is to exploit the relationship between parent and child processes in Windows, which can be used to run malicious code with administrative privileges. In this article, we'll explore how to investigate suspicious parent-child relationships in Windows processes to identify potential security risks.


Understanding Parent and Child Processes

Before we dive into the investigation process, it's important to understand how parent and child processes work in Windows. A parent process is a system process that initiates and manages other processes, known as child processes. For example, when you open a web browser, the browser process becomes the parent process, and any tabs or windows you open become child processes.

In Windows, the Task Manager can be used to view and manage processes. By default, Task Manager only displays the parent process for each running process. However, you can enable the "Process Tree" view to see the entire hierarchy of parent and child processes for a given process.

Suspicious Parent-Child Relationships

One way attackers can exploit parent-child relationships is by using a legitimate parent process to initiate a malicious child process. For example, the parent process "taskhost.exe" is a Windows system process responsible for running background tasks such as maintenance tasks, update installations, and device synchronization. However, a malicious actor could create a child process called "ngentask.exe" that is related to the .NET Runtime Optimization Service, which is used to optimize the performance of .NET Framework applications by compiling them into native machine code.

The fact that taskhost.exe is initiating the ngentask.exe process is not necessarily unusual, as it is a legitimate system process. However, the specific circumstances of this occurrence may be unusual if it is outside of expected system behavior. It is important to note that the SYSTEM user is initiating these processes, which indicates that the processes are running with administrative privileges. This could potentially indicate a security risk if a malicious actor gains access to the system and exploits these processes to carry out unauthorized actions.


Investigating Suspicious Parent-Child Relationships

To investigate suspicious parent-child relationships, we can use the following steps:
  • Investigate the process execution chain (parent process tree) for unknown processes.
  • Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
  • Investigate other alerts associated with the user/host during the past 48 hours.
  • Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.

Examine the host for derived artifacts that indicate suspicious activities:

  • Analyze the process executable using a private sandboxed analysis system.
  • Observe and collect information about the following activities in both the sandbox and the alert subject host.
  • Attempts to contact external domains and addresses.
  • Examine the DNS cache for suspicious or anomalous entries.
  • Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.
  • Examine the host services for suspicious or anomalous entries.
  • Retrieve the files' SHA-256 hash values using the PowerShell Get-FileHash cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
  • Investigate potentially compromised accounts by searching for login events (for example, 4624) to the target host after the registry modification.


False Positive Analysis

While suspicious parent-child relationships are unlikely to happen legitimately, it's important to note that false positives can occur. For example, certain software may create child processes that appear suspicious but are actually part of normal operation. Therefore, it's important to carefully analyze and confirm any potential security risks before taking action.

Conclusion

Investigating suspicious parent-child relationships in Windows processes is an important step in identifying potential security risks and protecting your system from cyber threats. By understanding how parent and child processes work in Windows, and by following the steps outlined in this article, you can better detect and respond to suspicious activity. Remember to always stay vigilant and keep your security tools and practices up-to-date to stay one step ahead of attackers.

Comments

Post a Comment

1) Read and understand the article before commenting: It's important to read the entire article and try to understand the message being conveyed before leaving a comment. This can help you avoid making false claims or misinterpreting the author's intent.

2) Be respectful: When leaving a comment, be respectful of others, including the author, other commenters, and any individuals mentioned in the article. Avoid using derogatory or offensive language, and do not insult or attack others.

3) Stay on topic: When leaving a comment, make sure it's relevant to the article or topic being discussed. Avoid going off on tangents or bringing up unrelated issues.

4) Back up your claims: If you are making a claim or statement in your comment, make sure you have evidence to support it. This can help prevent false information from spreading.

5) Avoid hate speech: Hate speech is any speech that attacks a person or group on the basis of their race, religion, gender, sexual orientation, or other characteristics. Avoid using hate speech in your comments, as it can be hurtful and offensive to others.

6) Check your emotions: If you feel strongly about a topic, it's important to check your emotions before leaving a comment. Avoid making comments when you're angry or upset, as this can lead to making false claims or using offensive language.

7) Don't feed the trolls: If you encounter a comment that is false or offensive, avoid engaging with the commenter. Responding to trolls or individuals who are looking to stir up controversy can often make the situation worse.