Process Lineage Analysis
Definition
Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.
Synonyms: Process Tree Analysis .How it works
Process tree analysis techniques gather information on how a process was initiated to determine if a process is malicious. For example, if a process was not initiated from boot or not initiated by another process, that process is identified as suspicious. Also, if a new process was started before a process initiated by the device (ex. during boot) and that new process was not initiated by a user (which can be determined by examining process parameters such as type of process, its creator, source, etc.) the process is identified as suspicious.
For example, Microsoft Word may block execution of any subprocess that is not in an approved path.
Considerations
- Attackers may spoof the parent PID (https://attack.mitre.org/techniques/T1502/), rendering such after-the-fact analysis on process lineage ineffective.
- Processes may hide from various means of detection; an example on Linux is where a rootkit might remove key files for the process from its directory in /proc.
- Zombie processes.
References
The following references were used to develop the Process Lineage Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
CAR-2020-11-002: Local Network Sniffing
CAR-2020-11-004: Processes Started From Irregular Parent
CAR-2021-02-002: Get System Elevation
CAR-2021-05-003: BCDEdit Failure Recovery Modification
CAR-2014-11-008: Command Launched from WinLogon
CAR-2014-11-003: Debuggers for Accessibility Applications
CAR-2019-04-002: Generic Regsvr32
CAR-2014-11-002: Outlier Parents of Cmd
CAR-2013-02-003: Processes Spawning cmd.exe
CAR-2013-04-002: Quick execution of a series of suspicious commands
CAR-2013-03-001: Reg.exe called from Command Shell
CAR-2014-12-001: Remotely Launched Executables via WMI
CAR-2013-09-005: Service Outlier Executables
CAR-2014-07-001: Service Search Path Interception
System and methods thereof for causality identification and attributions determination of processes in a network
MITRE Comments
This patent describes detecting malicious processes on a host. Agents are deployed on hosts that monitor all initiated processes and determine whether a process was initiated at boot or initiated by another process. If not initiated at boot or by another process, the process is identified as suspicious and an alert is triggered.
System and methods thereof for identification of suspicious system processes
MITRE Comments
The patent describes detecting malicious processes by identifying the order of process initiation. The start of a user initiated process (user query, opening an application, etc.) is compared with the start of processes initiated by the device (ex. during boot). In addition, a determination is made on whether processes are not initiated by a user by examining process parameters such as type of process, its creator, source, etc. If it is determined that a user initiated process was started before a process initiated by the device and a process was not initiated by the user, the process is marked as suspicious.