Suspicious Parent Spawning Searchprotocolhost

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule focuses on instances where a suspicious process spawns "searchprotocolhost.exe", a program involved in Windows Search functionality. Malicious actors might try to exploit it for privilege escalation or lateral movement within the network

Data source:

Windows: Network traffic, process, file

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0007 - Discovery, TA0006 - Credential Access

Techniques: T1134 - Access Token Manipulation, T1036 - Masquerading, T1049 - System Network Configuration Discovery, T1003 - OS Credential Dumping

Sub-techniques: T1134.004 - Parent PID Spoofing

Criteria:

Target process: Any process ending with "searchprotocolhost.exe"

Condition: Parent process name does NOT end with any of the following:

  • Windows\System32\searchindexer.exe
  • Windows\SysWow64\searchindexer.exe
  • WINNT\system32\searchindexer.exe
  • Windows\System32\dllhost.exe
  • Windows\SysWow64\dllhost.exe
  • WINNT\system32\dllhost.exe

The searchprotocolhost.exe process is normally spawned by either searchindexer.exe or dllhost.exe. An unexpected parent process could indicate an attempt to inject malicious code.

When to enable this rule:

Enable this rule when the user wants to identify potential malicious activities or system compromise by detecting suspicious parent spawning of searchprotocolhost processes.

Compliance mapping (NIST, CIS):

  • NIST CSF: DE.AE (Detection Processes) to detect non-standard parent processes, signaling possible misuse.
  • CIS Control: 8 (Malware Defense) to monitor and control the spawning of Search Protocol Host to prevent data leakage or system compromise.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.