Suspicious Parent Spawning Searchindexer

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule monitors situations where a suspicious process launches "searchindexer.exe". While searchindexer.exe is a legitimate Windows program for indexing files, its use by a suspicious parent process might indicate an attempt to infiltrate the system for data exfiltration or other malicious activities.

Data source:

Windows: Network traffic, process

Relevant MITRE ATT&CK techniques and tactics:

    Tactics: TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0007 - Discovery

    Techniques: T1134 - Access Token Manipulation, T1016 - System Network Configuration Discovery

    Sub-techniques: T1134.004 - Parent PID Spoofing

    Criteria:

    Suspicious parent spawning searchindexer.exe

    Target process: Any process ending with "searchindexer.exe" (including paths).

    Condition: Parent process name does NOT end with any of the following:

    • Windows\System32\services.exe
    • Windows\SysWow64\services.exe
    • WINNT\system32\services.exe

    When to enable this rule:

    Enable this rule when the user wants to detect potential malware infections or system compromise by identifying suspicious parent spawning of searchindexer processes.

    Compliance mapping (NIST, CIS):

    • NIST CSF: DE.AE (Detection Processes) for identifying irregular spawning of the search indexer, indicative of potential exploits.
    • CIS Control: 8 (Malware Defense) to ensure the search indexing service is not misused for malicious activities.

    Next steps:

    Upon triggering this alert, the following actions can be taken:

    • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
    • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
    • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.