D3-PLA

Detect
Process Lineage Analysis

Definition

Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.

How it works

Process tree analysis techniques gather information on how a process was initiated to determine if a process is malicious. For example, if a process was not initiated from boot or not initiated by another process, that process is identified as suspicious. Also, if a new process was started before a process initiated by the device (ex. during boot) and that new process was not initiated by a user (which can be determined by examining process parameters such as type of process, its creator, source, etc.) the process is identified as suspicious.

For example, Microsoft Word may block execution of any subprocess that is not in an approved path.

Considerations

Attackers may spoof the parent PID (https://attack.mitre.org/techniques/T1502/), rendering such after-the-fact analysis on process lineage ineffective.

Processes may hide from various means of detection; an example on Linux is where a rootkit might remove key files for the process from its directory in /proc.

Zombie processes.

Artifact Relationships

This defensive technique relates to specific digital artifacts.

analyzes
analyzes
Process Lineage Analysis
Process
Process Tree

References

Reference - CAR-2020-11-002: Local Network Sniffing - MITRE Reference - CAR-2020-11-004: Processes Started From Irregular Parent - MITRE Reference - CAR-2021-02-002: Get System Elevation - MITRE Reference - CAR-2021-05-003: BCDEdit Failure Recovery Modification - MITRE Reference - CAR-2014-11-008: Command Launched from WinLogon - MITRE Reference - CAR-2014-11-003: Debuggers for Accessibility Applications - MITRE Reference - CAR-2019-04-002: Generic Regsvr32 - MITRE Reference - CAR-2014-11-002: Outlier Parents of Cmd - MITRE Reference - CAR-2013-02-003: Processes Spawning cmd.exe - MITRE Reference - CAR-2013-04-002: Quick execution of a series of suspicious commands - MITRE Reference - CAR-2013-03-001: Reg.exe called from Command Shell - MITRE Reference - CAR-2014-12-001: Remotely Launched Executables via WMI - MITRE Reference - CAR-2013-09-005: Service Outlier Executables - MITRE Reference - CAR-2014-07-001: Service Search Path Interception - MITRE Reference - System and methods thereof for causality identification and attributions determination of processes in a network - Palo Alto Networks IncCyber Secdo Ltd Reference - System and methods thereof for identification of suspicious system processes - Palo Alto Networks Inc Reference - CAR-2019-04-001: UAC Bypass - MITRE