Detecting the presence of csrss Spawning Suspicious Child

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule monitors the legitimate Windows process csrss.exe for suspicious activity. Csrss.exe shouldn't normally spawn new processes, so the rule flags instances where it creates child processes. This could indicate malware injection or other attempts to tamper with the system using csrss.exe, warranting further investigation.

Data source:

Windows: User account, process, file, kernel, service

Relevant MITRE ATT&CK techniques and tactics:

Criteria:

This correlation rule is designed to detect suspicious activity involving the following processes:

• werfault.exe: Windows Error Reporting Service Fault Reporter
• wermgr.exe: Windows Error Reporting Service Manager
• WerFaultSecure.exe: Secure version of Windows Error Reporting Service Fault Reporter

When to enable this rule:

Enable this rule when the user wants to detect potential malware injection or unauthorized system tampering through csrss.exe spawning suspicious child processes.

Compliance mapping (NIST, CIS):

NIST Cybersecurity Framework (CSF): DE.AE (Detection Processes) to detect abnormal process relationships that may signal an attack.

CIS: 8 (Malware Defense) to prevent exploitation of system processes through the spawning of suspicious child processes.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.