D3-PLA
Definition
Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.
How it works
Process tree analysis techniques gather information on how a process was initiated to determine if a process is malicious. For example, if a process was not initiated from boot or not initiated by another process, that process is identified as suspicious. Also, if a new process was started before a process initiated by the device (ex. during boot) and that new process was not initiated by a user (which can be determined by examining process parameters such as type of process, its creator, source, etc.) the process is identified as suspicious.
For example, Microsoft Word may block execution of any subprocess that is not in an approved path.
Considerations
•Attackers may spoof the parent PID (https://attack.mitre.org/techniques/T1502/), rendering such after-the-fact analysis on process lineage ineffective.
•Processes may hide from various means of detection; an example on Linux is where a rootkit might remove key files for the process from its directory in /proc.
•Zombie processes.
Artifact Relationships
This defensive technique relates to specific digital artifacts.