Suspicious parent spawning fontdrvhost

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This correlation rule is designed to detect potentially risky behavior by monitoring the parent process of newly created processes. It specifically focuses on the "fontdrvhost.exe" program. Fontdrvhost.exe is a legitimate Windows component involved in font rendering. However, attackers can exploit it to execute malicious code. This rule looks for situations where a suspicious parent (not a trusted Windows process) spawns fontdrvhost.exe. By flagging such occurrences, the rule helps identify potential attempts to inject malicious code or manipulate font handling mechanisms for malicious purposes.

Data source:

Windows: Network traffic, process, application log

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0002 - Execution, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0006 - Credential Access

Techniques: T1059 - Command and Scripting Interpreter, T1055 - Process Injection, T1547 - Boot or Logon Autostart Execution, T1543 - Create or Modify System Process, T1003 - OS Credential Dumping

Sub-techniques: T1059.003 - Windows Command Shell

Criteria:

Process Name Check: The rule first checks if the process name ends with "fontdrvhost.exe". This identifies processes specifically named fontdrvhost.exe.

Parent Process Exclusion: Then, it excludes parent processes from the list of allowed ones. These allowed parent processes are:

• Windows\System32\wininit.exe
• Windows\SysWow64\wininit.exe
• WINNT\system32\wininit.exe
• Windows\System32\winlogon.exe
• Windows\SysWow64\winlogon.exe
• WINNT\system32\winlogon.exe

These processes are considered legitimate parents for fontdrvhost.exe.

When to enable this rule:

Enable this rule to identify suspicious activity indicative of process injection or rootkit installation.

Compliance mapping (NIST, CIS):

• NIST CSF: DE.AE (Detection Processes) to identify unexpected parent processes suggesting potential exploitation.
• CIS Control: 8 (Malware Defense) to monitor and restrict the spawning of font driver host processes to mitigate exploitation risks.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.