Overview
This guide contains helpful tips for investigating “Suspicious Process Parent” findings. Critical Windows system processes are usually launched by legitimate Windows components when not malicious. When these processes have unusual parent processes, the activity indicates process masquerading.
To catch malicious activity, the "Suspicious Process Parent" detection rule is triggered by Windows logs where the process name contains a critical Windows system process, such as svchost.exe, taskhost.exe, lsm.exe, lsass.exe, services.exe, lsaiso.exe, csrss.exe, wininit.exe, or winlogon.exe, and the parent process name does not contain known legitimate processes or directories.
Using Report Builder to investigate logs related to the process tree
Reference: See Using the Report Builder for more information about building reports.
After receiving a finding about a suspicious process parent, investigating the process tree via Report Builder can help you to verify the parent and the nature of the activity. While reviewing the report, look for the following information:
- Review the user associated with the different processes to determine if the user is authorized to perform the activity observed.
- Review the file paths of the processes to verify that the parent process is legitimate and expected.
- Review any commands associated with the processes for additional information on the actions performed by the process.
To investigate the full process tree related to this process execution, do the following:
- Keeping your finding tab open, open another browser window and navigate to Reporting > Report Builder.
- Set Time Range to include the time of the activity that you need to investigate.
- In Data Sources, select Microsoft Windows.
- Click Edit Report and then click Add Filter.
-
Click Add Filter and then add the following report filters
to narrow your logs to those for the impacted device where the process was
logged:
-
Add a filter for the device in question.
Example:devname-Equal-workstation1 -
Add a filter for the process IDs observed in the finding,
adding the process IDs and parent process IDs so that you can see
more of the process tree.
Example:process_id-In-123456789
-
Add a filter for the device in question.
-
Under Selected Columns, add columns to your report, such
as those below, to see more information about the related processes in your
results:
-
devname -
device_address -
domain -
user -
process_name -
process_id -
command -
parent_process_name -
parent_process_id -
parent.cmdline -
description -
windows_event_id
-
- Click Submit.
Adding detection filters
If the activity observed in the finding is related to an expected and trusted process, you may want to exclude this parent process from detection so that Blumira stops generating findings. You can add a detection filter for the parent process you no longer want to see findings for.
Here are some example detection filters you can add:
- Excluding a single parent process from triggering this detection:
parent_process_name-Equal-TrustedParentProcessName.exe - Excluding multiple parent processes using the “In” operator:
parent_process_name-In-TrustedProcess1.exeTrustedProcess1.exe