• Home
  • Suspicious parent spawning smss

Suspicious Parent Spawning Smss

Rule added on 20th February, 2024

In this page

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule looks for instances where a process other than the legitimate "smss.exe" (System Management Startup Service) spawns a new "smss.exe" process. Attackers can exploit this to inject malicious code with high privileges.

Data source:

Windows: Network traffic, process, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0005 - Defense Evasion

Techniques: T1055 - Process Injection, T1036 - Masquerading, T1548 - Abuse Elavation Control Mechanism

Sub-techniques: T1055.012 - Process Hollowing, T1548.002 - Bypass User Account Control

Criteria:

ProcessName EndsWith: This part checks if the name of a process ends with one of the listed strings. In this case, it's looking for processes named "smss.exe" in these specific locations:

  • Windows\System32\smss.exe
  • Windows\SysWow64\smss.exe
  • Windows\smss.exe
  • Windows\System32\Event Agent\Bin\smss.exe These are the valid locations for the legitimate smss.exe process, which is a core Windows system process responsible for loading other programs.

ParentProcessName NOTendsWith: This part checks if the name of the parent process of the identified "smss.exe" does NOT end with any of the listed strings mentioned earlier (valid smss.exe locations). It also checks if the parent process name DOES NOT end with "System".

When to enable this rule

Enable this rule when the user wants to detect potential lateral movement or privilege escalation attempts by malware, specifically targeting the process smss, which is unusual or suspicious.

Compliance mapping (NIST, CIS):

  • NIST CSF: DE.AE (Detection Processes) to detect and analyze anomalies in the spawning of the Session Manager Subsystem.
  • CIS Control: 8 (Malware Defense) to prevent misuse of smss.exe, crucial for session management, by malware.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.