Suspicious Parent Spawning Runtimebroker

Rule added on 20th February, 2024

In this page

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule keeps an eye out for a suspicious process creating a new instance of "runtimebroker.exe". This program is a legitimate part of the Windows Update process. However, attackers can potentially misuse it for malicious purposes.

Data source:

Windows: Network traffic, process

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0005 - Defense Evasion

Techniques: T1134 - Access Token Manipulation, T1036 - Masquerading

Sub-techniques: T1134.004 - Parent PID Spoofing

Criteria:

Suspicious parent spawning runtimebroker.exe

Target process: Any process ending with "runtimebroker.exe" (including paths with System32 or SysWow64).

Condition: Parent process name does NOT end with any of the following:

  • Windows\System32\svchost.exe
  • Windows\SysWow64\svchost.exe
  • WINNT\system32\svchost.exe

The legitimate runtimebroker.exe process is typically spawned by a legitimate svchost.exe service. An unexpected parent process could be a sign of malware.

When to enable this rule:

Enable this rule when the user wants to detect possible exploitation or unauthorized access attempts by identifying suspicious parent spawning of runtimebroker processes.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

  • NIST CSF: DE.AE (Detection Processes) to detect abnormal spawning activities that could compromise system security.
  • CIS Control: 8 (Malware Defense) to oversee and control the execution behavior of Runtime Broker to mitigate potential threats.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.