D3-PSA
Definition
Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.
How it works
Process attributes are established when an operating system spawns a new process. These attributes are analyzed to look for the presence or absence of specific values or patterns.
Some attributes of interest are:
•user
•process name
•image path
•security content
Considerations
•Attackers can spoof the parent process identifier (PPID), which could bypass this defense to allow execution of a malicious process from an arbitrary parent process.
•Attackers could have legitimately compromised any of the process properties, such as the user, to make the execution appear legitimate.
•Location: If the full image path is not checked, there could be a conflict with an executable that appears earlier due to resolution involving the system environment path/classpath variable.
•Parsing issues: If the raw command from a shell is analyzed, rather than the actual function call, it is important to identify the actual command being run from its arguments. In Windows, services with unquoted file paths containing spaces will try to use the first token as the executable and the rest as arguments -- and shift tokens to the executable until a valid one is found.
•Some operating systems can spawn processes without forking.
Artifact Relationships
This defensive technique relates to specific digital artifacts.