Suspicious Parent Spawning Tiworker

Rule added on 20th February, 2024

In this page

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule focuses on instances where a suspicious process spawns "tiworker.exe", a legitimate program related to Microsoft Defender. Abnormally high occurrences of this behavior might indicate an attempt to tamper with security software by launching a disguised malicious program.

Data source:

Windows: Network traffic, process

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0005 - Defense Evasion

Techniques: T1134 - Access Token Manipulation, T1036 - Masquerading

Sub-techniques: T1134.004 - Parent PID Spoofing

Criteria:

Suspicious parent spawning tiworker.exe

Target process: tiworker.exe

Condition: Parent process name does NOT end with any of the following:

  • Windows\System32\svchost.exe
  • Windows\SysWow64\svchost.exe
  • WINNT\system32\svchost.exe

tiworker.exe is normally spawned by a legitimate svchost.exe service. An unexpected parent process might indicate malicious activity.

When to enable this rule:

Enable this rule when the user wants to identify potential malware activities or privilege escalation attempts by detecting suspicious parent spawning of tiworker processes.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

NIST Cybersecurity Framework (CSF):

  • DE.DP-4: Detection Processes - Develop and implement processes to detect the occurrence of a cybersecurity event.
  • CIS Control: (4) Secure Configuration: Continuous Vulnerability Assessment and Remediation - Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.