Detecting the presence of SearchProtocolHost spawning suspicious child

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule targets the behavior of a legitimate Windows program, SearchProtocolHost.exe, specifically looking for suspicious processes it spawns (child processes). SearchProtocolHost normally interacts with various indexing services. The rule flags situations where it creates child processes that are uncommon or known to be malicious.

Data source:

Windows: User account, process, network traffic

Relevant MITRE ATT&CK techniques and tactics:

Tactics: Execution

Techniques: Command and Scripting Interpreter (T1059)

Sub-techniques: CreateProcess (T1059.003)

Criteria:

Identifying the Processes: The rule focuses on three specific processes:

• werfault.exe
• wermgr.exe
• WerFaultSecure.exe

Parent-Child relationship: The rule goes beyond just identifying these processes. It also checks the parent process of each identified process. A parent process is the program that initiated the creation of another program (the child process).

The rule goes beyond just identifying these processes. It also checks the parent process of each identified process. A parent process is the program that initiated the creation of another program (the child process).

The rule specifies three possible parent processes:

• Windows\System32\SearchProtocolHost.exe
• Windows\SysWow64\SearchProtocolHost.exe
• WINNT\system32\SearchProtocolHost.exe

These processes are all related to the Windows Search Protocol Host, a component that allows other programs to interact with Windows Search.

When to enable this rule:

Enable this rule when the user wants to detect potential privilege escalation attempts through SearchProtocolHost.exe spawning suspicious child processes. While SearchProtocolHost.exe is a legitimate process, attackers can abuse it to spawn child processes that elevate privileges and move laterally within a network. This rule can help identify such malicious activity.

Compliance mapping (NIST, CIS):

NIST Cybersecurity Framework (CSF): DE.AE (Detection Processes) for detecting anomalies in system processes indicative of malicious activities.

CIS: 8 (Malware Defense) to detect and prevent execution of unauthorized child processes that could indicate a compromise.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.