Detecting the presence of taskhost Spawning Suspicious Child

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule watches for the process taskhost.exe spawning new child processes that are identified as suspicious. Taskhost.exe is a legitimate Windows process, but attackers can misuse it to launch malware. By monitoring its spawned processes for suspicious activity, this rule helps identify potential attempts to inject malicious code into the system.

Data source:

Windows: User account, process, network traffic

Relevant MITRE ATT&CK techniques and tactics:

Criteria:

Process name exclusion: This rule excludes processes that end with the following names:

• werfault.exe: Windows Error Reporting Service
• wermgr.exe: Windows Error Reporting Manager
• werFaultSecure.exe: Secure version of Windows Error Reporting Service

Parent Process name ends with: This is a logical OR (||) condition that checks if the parent process name ends with any of the following:

• Windows\System32\taskhost.exe: This is the legitimate taskhost.exe located in the System32 directory.
• Windows\SysWow64\taskhost.exe: This is the legitimate taskhost.exe located in the SysWow64 directory (for 64-bit Windows).
• WINNT\system32\taskhost.exe: This is an older version of the legitimate taskhost.exe on some Windows systems.

The rule essentially flags any process except legitimate Windows Error Reporting tools (werfault.exe, wermgr.exe, WerFaultSecure.exe) that are spawned by one of the legitimate versions of taskhost.exe.

When to enable this rule:

Enable this rule when the user wants to detect lateral movement or privilege escalation attempts through taskhost.exe spawning suspicious child processes. While taskhost.exe is a legitimate process, attackers can abuse it to bypass application whitelisting and inject malicious code into memory. Monitoring suspicious child processes spawned by taskhost.exe can help identify these attempts.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

NIST Cybersecurity Framework (CSF): DE.AE (Detection Processes) for identifying unusual activity that could suggest security incidents.

CIS Control: 8 (Malware Defense) to monitor and mitigate unauthorized or malicious process creations.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.