Windows Masquerading Explorer as Child Process

Rule added on 20th February, 2024

Prerequisite:

The rule requires sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This rule focuses on a suspicious parent-child process relationship. Normally, explorer.exe (File Explorer) runs independently. However, malware can spawn a new explorer.exe process as its child to inject malicious code and potentially bypass security detections. This rule flags instances where explorer.exe has an unexpected parent process, helping identify potential malware masquerading as a legitimate Windows process.

Data source

Windows: Network traffic, process

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0005 - Defense Evasion

Techniques: T1036 - Masquerading

Sub-techniques: T1036.005 - Masquerade Task or Service

Criteria:

Parent Process Name: The rule checks if the name of the parent process ends with any of the following:

  • "cmd.exe": This is the command prompt executable.
  • "powershell.exe": This is the PowerShell executable, a powerful scripting tool.
  • "regsvr32.exe": This is a tool used to register ActiveX controls or DLLs.

Child Process Name:The rule then checks if the name of the child process ends with either of the following:

  • "Windows\explorer.exe": This is the standard path for the Windows Explorer executable.
  • "Windows\SysWow64\explorer.exe": This is the path for the Windows Explorer executable on 64-bit systems.

When to enable this rule:

Enable this rule when the user wants to identify potential malware injection.

Compliance mapping (NIST, CIS):

  • NIST CSF:DE.AE (Detection Processes) for detecting anomalies in system processes.
  • CIS Control:8 (Malware Defense) to detect and prevent malicious activities disrupting critical processes.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.