Suspicious Parent Spawning Consent

Rule added on 20th February, 2024

In this page

Prerequisite:

The rule requires sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule monitors situations where a process identified as suspicious launches a program named "consent.exe". Malicious actors can exploit it for privilege escalation. This rule helps flag such possibilities for further investigation

Data source

Windows: Network traffic, process

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0007 - Discovery, TA0006 - Credential Access

Techniques: T1134 - Access Token Manipulation, T1036 - Masquerading, T1049 - System Network Configuration Discovery, T1003 - OS Credential Dumping

Sub-techniques: T1134.004 - Parent PID Spoofing

Criteria:

Suspicious parent spawning Consent.exe:

This rule checks if a process named "consent.exe" is spawned.

  • It considers it suspicious if the parent process is not one of the legitimate svchost.exe locations (Windows\System32\svchost.exe, Windows\SysWow64\svchost.exe, or WINNT\system32\svchost.exe)

When to enable this rule:

Enable this rule when the user wants to detect potential instances of credential theft or lateral movement by detecting the presence of suspicious parent spawning consent processes.

Compliance mapping (NIST, CIS):

  • NIST CSF: DE.AE (Detection Processes) to identify unauthorized or suspicious use of the consent.exe process.
  • CIS Control: 8 (Malware Defense) aimed at detecting attempts to bypass User Account Control (UAC) through consent.exe manipulation.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.