heroui logo

Windows Masquerading Explorer As Child Process

Splunk Security Content

View Source
Summary
The 'Windows Masquerading Explorer As Child Process' detection rule is designed to identify instances where the legitimate Windows process explorer.exe is spawned by uncommon parent processes such as cmd.exe, powershell.exe, or regsvr32.exe. By leveraging telemetry data from Endpoint Detection and Response (EDR) agents, this analytic closely inspects the relationships between processes and their parent processes. Typically, explorer.exe is launched by userinit.exe; deviations from this norm can indicate potential malicious activities, such as process masquerading or code injection attempts, which are often characteristic of sophisticated malware like Qakbot. Confirming such behavior may expose avenues for attackers to execute arbitrary code, evade detection, and gain persistence within a system. The detection utilizes logs from Sysmon, Windows Event Logs, and CrowdStrike to efficiently create alerts based on these anomalous parent-child process relationships, allowing for quicker threat identification and remediation.
Categories
  • Endpoint
  • Windows
Data Sources
  • Pod
  • Container
  • User Account
  • Windows Registry
  • Script
  • Image
  • Web Credential
  • Named Pipe
  • Certificate
  • WMI
  • Cloud Storage
  • Internet Scan
  • Persona
  • Group
  • Application Log
  • Logon Session
  • Instance
  • Sensor Health
  • File
  • Drive
  • Snapshot
  • Command
  • Kernel
  • Driver
  • Volume
  • Cloud Service
  • Malware Repository
  • Network Share
  • Network Traffic
  • Scheduled Job
  • Firmware
  • Active Directory
  • Service
  • Domain Name
  • Process
  • Firewall
  • Module
ATT&CK Techniques
  • T1574.002
  • T1574
Created: 2024-12-10