185. Using Process Parent and Children Relationships for Detection and Hunting

Hello everyone!

Today we're going to talk about some basics. But such basics are extremely important to document and use. I'm talking about process parent and children relationships.

The thing is, some processes may rarely or never spawn some other processes in a legitimate way. So if you see such behaviour marker, it's most likely related to malicious activity. But the problem is - there can be many and many variants of such markers.

Let's look at an example, which belongs to Kimsuky. It's a malicious VBS file. If we look at it closely, we can see that in this case wscript.exe spawns curl.exe to download another malicious file. And this is an example of behavior marker we can use for detection or hunting:

event_type: "processcreatewin"

AND

proc_p_file_path: "wscript.exe"

AND

proc_file_path: "curl.exe"

And yes, as I mentioned before, there can be many variants of such behaviour markers, so make sure to document it!

See you tomorrow!


Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge