Suspicious Parent Spawning Winlogon

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule monitors situations where a process besides the legitimate Windows Logon process (winlogon.exe) spawns a new winlogon process. This could be an attempt to bypass login security mechanisms.

Data source:

Windows: Network traffic, process, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0005 - Defense Evasion

Techniques: T1134 - Access Token Manipulation, T1036 - Masquerading

Sub-techniques: T1134.004 - Parent PID Spoofing

Criteria:

This rule checks if a process ending with "winlogon.exe" (including paths with System32 or SysWow64) is spawned.

It considers it suspicious if the parent process is not one of the legitimate smss.exe locations (Windows\System32\smss.exe, Windows\SysWow64\smss.exe, Windows\smss.exe, or Windows\System32\Event Agent\Bin\smss.exe).

When to enable this rule:

Enable this rule when the user wants to detect potential credential theft attacks leveraging malware installation, specifically targeting systems with suspicious parent processes spawning winlogon.

Compliance mapping:

• NIST CSF: DE.AE (Detection Processes) for identifying unauthorized use of the Windows logon process.
• CIS Control: 8 (Malware Defense) aimed at safeguarding the authentication process managed by winlogon.exe.