• Home
  • Suspicious parent spawning taskhost

Suspicious Parent Spawning Taskhost

In this page

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

The rule monitors situations where a process flagged as malicious (e.g., malware, hacking tool) launches the legitimate taskhost.exe program. Taskhost.exe normally loads DLLs for other programs, but suspicious actors might exploit it to inject their own malicious code into these DLLs.

Data source:

Windows: Network traffic, process, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0006 - Credential Access, TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0002 - Execution

Techniques: T1003 - OS Credential Dumping, T1027 - Obfuscated Files or Information, T1134 - Access Token Manipulation, T1059 - Command and Scripting Interpreter

Sub-techniques: T1003.003 - NTDS, T1134.004 - Parent PID Spoofing, T1059.001 - PowerShell, T1059.003 - Windows Command Shell

Criteria:

The rule ensures the parent process name doesn't end with any of the following:

  • Windows\System32\services.exe
  • Windows\SysWow64\services.exe
  • WINNT\system32\services.exe
  • Windows\System32\svchost.exe
  • Windows\SysWow64\svchost.exe
  • WINNT\system32\svchost.exe

These are all legitimate locations for the services.exe and svchost.exe processes. The rule aims to exclude normal scenarios where these processes spawn taskhost.exe.

The rule checks if the child process name ends with "taskhost.exe" (including paths with System32 or SysWow64).

When to enable this rule:

Enable this rule when the user wants to identify instances of suspicious parent spawning activity, indicative of possible malware execution or exploitation attempts.

Compliance mapping (NIST, CIS):

  • NIST CSF: DE.AE (Detection Processes) for detecting abnormal behaviors in the task host process.
  • CIS Control: 8 (Malware Defense) to monitor and control taskhost.exe to prevent execution of malicious tasks.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.