Detecting the presence of smss spawning suspicious child

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule targets potential privilege escalation attempts by monitoring the legitimate process smss.exe (Security Manager Subsystem) for spawning unusual child processes. Since smss.exe has high privileges, attackers might try to exploit it to launch malicious programs and gain unauthorized control. The rule flags such suspicious child processes for further investigation.

Data source:

Windows: process, network traffic

Relevant MITRE ATT&CK techniques and tactics:

Tactics: Execution (T1059)

Techniques: Command and Scripting Interpreter (T1059.004)

Sub-techniques: Defense Evasion (T1562)

Criteria:

Parent Process Check:

• The rule first focuses on the parent process of the process being analyzed.
• It checks if the parent process name ends with any of the following:
  • "Windows\System32\smss.exe"
  • "Windows\SysWow64\smss.exe"
  • "Windows\smss.exe"
  • "Windows\System32\Event Agent\Bin\smss.exe"

These are all valid paths for the Windows Service Manager (smss.exe), a critical system process responsible for loading drivers and other system services during startup.

It excludes processes with names ending with:

• "Windows\System32\smss.exe"
• "Windows\SysWow64\smss.exe"
• "Windows\smss.exe"
• "Windows\System32\Event Agent\Bin\smss.exe"
• "Windows\System32\csrss.exe" (Critical System Process - Client/Server Runtime Subsystem)
• "Windows\SysWow64\csrss.exe" (Critical System Process - Client/Server Runtime Subsystem)
• "WINNT\system32\csrss.exe" (Alternate path for csrss.exe)
• "Windows\System32\wininit.exe" (Critical System Process - Windows Initialization)
• "Windows\SysWow64\wininit.exe" (Critical System Process - Windows Initialization)
• "WINNT\system32\wininit.exe" (Alternate path for wininit.exe)
• "Windows\System32\winlogon.exe" (Critical System Process - Windows Logon)
• "Windows\SysWow64\winlogon.exe" (Critical System Process - Windows Logon)
• "WINNT\system32\winlogon.exe"

This rule flags situations where autochk.exe is spawned by a seemingly legitimate system process (smss.exe) but is not one of the standard system processes expected to spawn autochk.exe.

When to enable this rule:

Enable this rule when the user wants to identify privilege escalation attempts by detecting the presence of smss.exe (Security Manager Subsystem) spawning suspicious child processes. This correlation targets attackers seeking unauthorized control by leveraging the high privileges of smss.exe to execute malicious programs.

Compliance mapping (NIST, CIS):

NIST Cybersecurity Framework (CSF): DE.AE (Detection Processes) focuses on the detection of unexpected or unauthorized system process behaviors.

CIS: 8 (Malware Defense) to safeguard against the misuse of system processes to execute malicious code.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.