Suspicious Parent Spawning LogonUI

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This correlation rule aims to identify potential malware by monitoring the processes that spawn LogonUI.exe (the Windows login user interface). LogonUI typically doesn't get launched by other programs. If a suspicious process (not a known parent like explorer.exe) spawns LogonUI.exe, it might indicate an attempt to inject malicious code into the login process.

Data source:

Windows: Network traffic, process, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0002 - Execution

Techniques: T1134 - Access Token Manipulation, T1204 - User Execution, T1047 - Windows Management Instrumentation

Sub-techniques: T1134.004 - Parent PID Spoofing

Criteria:

This rule monitors for the spawning of the process "LogonUI.exe" (including paths with System32 or SysWow64).

It considers the spawn suspicious if the parent process is not one of the legitimate wininit.exe or winlogon.exe locations:

  • Windows\System32\wininit.exe
  • Windows\SysWow64\wininit.exe
  • WINNT\system32\wininit.exe
  • Windows\System32\winlogon.exe
  • Windows\SysWow64\winlogon.exe
  • WINNT\system32\winlogon.exe

When to enable this rule:

Enable this rule when the user wants to detect potential credential theft or manipulation through malicious processes spawning Suspicious parent spawning LogonUI.

Compliance mapping (NIST, CIS):

  • NIST CSF: DE.AE (Detection Processes) for identifying suspicious activities involving the user interface for logon.
  • CIS Control: 8 (Malware Defense) to monitor and protect the Logon UI process from being exploited for credential theft or impersonation.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.