Suspicious Parent Spawning Dwm

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This correlation rule aims to identify potentially malicious activity by analyzing the parent process of newly created processes. Here, it focuses on the "dwm.exe" program. Dwm.exe is a legitimate Windows process responsible for managing the Desktop Window Manager. Attackers can exploit it to execute hidden code or gain unauthorized access to system resources. This rule looks for instances where a suspicious parent process (not a trusted Windows process) spawns dwm.exe. By highlighting such events, the rule helps security professionals investigate potential attempts to abuse dwm.exe for malicious purposes.

Data source:

Windows: Network traffic, process, application log

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0002 - Execution, TA0004 - Privilege Escalation, TA0005 - Defense Evasion

Techniques: T1059 - Command and Scripting Interpreter, T1055 - Process Injection, T1547 - Boot or Logon Autostart Execution, T1543 - Create or Modify System Process, T1071 - Application Layer Protocol

Sub-techniques: T1059.001 - PowerShell, T1059.003 - Windows Command Shell, T1055.012 - Process Hollowing, T1543.002 - System Services, T1071.001 - Web Protocols

Criteria:

Process Name: The rule focuses on processes where the name ends with "dwm.exe". This ensures it only targets processes specifically named dwm.exe and not executables with "dwm" in their name.

Parent Process Exclusion: The rule excludes processes where the parent process name ends with any of the following:

• "Windows\System32\wininit.exe"
• "Windows\SysWow64\wininit.exe"
• "WINNT\system32\wininit.exe"
• "Windows\System32\winlogon.exe"
• "Windows\SysWow64\winlogon.exe"
• "WINNT\system32\winlogon.exe"

By looking for dwm.exe spawns that don't originate from the expected parent processes (wininit.exe or winlogon.exe), the rule aims to identify potential malware activity that might be trying to tamper with the environment for malicious purposes.

When to enable this rule:

Enable this rule when the user wants to identify potential exploitation or privilege escalation attempts targeting system processes.

Compliance mapping (NIST, CIS):

NIST CSF: DE.AE (Detection Processes) for the detection of unusual relationships indicating potential security incidents.

CIS Control: 8 (Malware Defense) to safeguard against the misuse of the Desktop Window Manager by malicious entities.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.