Suspicious Parent Spawning Csrss

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule monitors for situations where a process other than the legitimate "csrss.exe" (Client-Server Runtime System Process) spawns a new "csrss.exe" process.

Data source:

Windows: Network traffic, process, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0002 - Execution, TA0005 - Defense Evasion,

Techniques: T1059 - Command and Scripting Interpreter, T1036 - Masquerading, T1027 - Obfuscated Files or Information

Sub-techniques: T1059.001 - PowerShell, T1059.003 - Windows Command Shell

Criteria:

This rule targets processes ending with "csrss.exe" (including paths with System32 or SysWow64).

It marks the spawn as suspicious if the parent is not one of the following:

• A legitimate smss.exe process.
• The system process ("System").
• A legitimate svchost.exe process (svchost.exe can sometimes spawn csrss.exe).

When to enable this rule:

Enable this rule when the user wants to identify potential malware activity involving the spawning of processes with csrss as the parent, indicating possible system compromise or manipulation.

Compliance mapping (NIST, CIS):

• NIST CSF: DE.AE (Detection Processes) for monitoring unusual activity related to the Client Server Runtime Process.
• CIS Control: 8 (Malware Defense) to protect against the exploitation of csrss.exe, which is vital for Windows operation.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.