Unusual Parent-Child Relationship Query and process parent hyphen value

Elastic Security SIEM
1

Hello,

I'm noticing a large amount of detections on the "Unusual Parent-Child Relationship" detection rule whichs seems to be related to the fact that some processes don't have a parent process. Data source are sysmon forwarded events.

The query which looks like this:

signal.rule.query: "event.category:process and event.type:(start or process_started) and process.parent.executable:* and (
	process.parent.name:autochk.exe and not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or 
	process.parent.name:smss.exe and not process.name:(autochk.exe or smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe) or 
	process.name:autochk.exe and not process.parent.name:smss.exe or process.name:(fontdrvhost.exe or dwm.exe) and not process.parent.name:(wininit.exe or winlogon.exe) or
	process.name:(consent.exe or RuntimeBroker.exe or TiWorker.exe) and not process.parent.name:svchost.exe or 
	process.name:wermgr.exe and not process.parent.name:(svchost.exe or TiWorker.exe) or 
	process.name:SearchIndexer.exe and not process.parent.name:services.exe or 
	process.name:SearchProtocolHost.exe and not process.parent.name:(SearchIndexer.exe or dllhost.exe) or 
	process.name:dllhost.exe and not process.parent.name:(services.exe or svchost.exe) or 
	process.name:smss.exe and not process.parent.name:(System or smss.exe) or 
	process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or 
	process.name:wininit.exe and not process.parent.name:smss.exe or 
	process.name:winlogon.exe and not process.parent.name:smss.exe or 
	process.name:(lsass.exe or LsaIso.exe) and not process.parent.name:wininit.exe or 
	process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or 
	process.name:services.exe and not process.parent.name:wininit.exe or 
	process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or 
	process.name:spoolsv.exe and not process.parent.name:services.exe or 
	process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or 
	process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or 
	process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe)
)"

Is looking for events where process.parent.executable:*. But processes which don't have a parent process have a hyphen as value.

For example:

image
image2259×260 41.8 KB

So am I correct thinking that the query should be updated so that it ignore events where process.parent.executable : "-"?

For example:

event.category:process and event.type:(start or process_started) and process.parent.executable:* and not process.parent.executable:"-" and ...

Or am I missing something?

Grtz

Willem

2

Which agent/beat is outputting the dash in the data set. I do not remember a beat/agent doing that before but would like to know which one it is.

3

I asked around and this rule has been converted to EQL for the upcoming 7.next release. You should be able to try out a custom rule with the same EQL within 7.10 today using that repo's test commands and then see if this fixes you for a custom rule as a workaround for now.

Ref:

4

Thanks for your answer @Frank_Hassanabad

The agent we are using is Elastic and Winlogbeat 7.9.2, which has been installed on the WEF collector and uses the sysmon module. I also do not know where the dash is added.

Example event:

{
  "_index": "winlogbeat-7.9.2-2020.12.14-000059",
  "_type": "_doc",
  "_id": "yGWZYnYKgRcrpJ2",
  "_version": 1,
  "_score": null,
  "_source": {
    "@timestamp": "2020-12-14T18:51:16.118Z",
    "winlog": {
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "provider_name": "Microsoft-Windows-Sysmon",
      "task": "Process Create (rule: ProcessCreate)",
      "version": 5,
      "user": {
        "identifier": "S-1-5-18",
        "name": "SYSTEM",
        "domain": "NT AUTHORITY",
        "type": "User"
      },
      "event_data": {
        "Product": "Microsoft® Windows® Operating System",
        "LogonGuid": "{a65d432e-b424-5fd7-e703-000000000000}",
        "FileVersion": "10.0.18362.387 (WinBuild.160101.0800)",
        "OriginalFileName": "WinInit.exe",
        "IntegrityLevel": "System",
        "TerminalSessionId": "0",
        "Description": "Windows Start-Up Application",
        "Company": "Microsoft Corporation",
        "LogonId": "0x3e7",
        "RuleName": "-"
      },
      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
      "process": {
        "pid": 5040,
        "thread": {
          "id": 7436
        }
      },
      "record_id": 93980,
      "api": "wineventlog",
      "computer_name": "CP960",
      "event_id": 1
    },
    "user": {
      "domain": "NT AUTHORITY",
      "name": "SYSTEM"
    },
    "related": {
      "user": "SYSTEM",
      "hash": [
        "e83650f70459a027aa596e1a73c961a1",
        "d5e122606054fa0b03db3ee8cf9ea7701e523875e2bdb87581ad7232ffc9308e",
        "43bbe267e832982296370a326a7ac134"
      ]
    },
    "log": {
      "level": "information"
    },
    "ecs": {
      "version": "1.5.0"
    },
    "message": "Process Create:\nRuleName: -\nUtcTime: 2020-12-14 18:51:16.118\nProcessGuid: {a65d432e-b424-5fd7-0800-000000005c00}\nProcessId: 928\nImage: C:\\Windows\\System32\\wininit.exe\nFileVersion: 10.0.18362.387 (WinBuild.160101.0800)\nDescription: Windows Start-Up Application\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: WinInit.exe\nCommandLine: wininit.exe\nCurrentDirectory: C:\\Windows\\system32\\\nUser: NT AUTHORITY\\SYSTEM\nLogonGuid: {a65d432e-b424-5fd7-e703-000000000000}\nLogonId: 0x3E7\nTerminalSessionId: 0\nIntegrityLevel: System\nHashes: MD5=E83650F70459A027AA596E1A73C961A1,SHA256=D5E122606054FA0B03DB3EE8CF9EA7701E523875E2BDB87581AD7232FFC9308E,IMPHASH=43BBE267E832982296370A326A7AC134\nParentProcessGuid: {00000000-0000-0000-0000-000000000000}\nParentProcessId: 572\nParentImage: -\nParentCommandLine: -",
    "process": {
      "name": "wininit.exe",
      "hash": {
        "md5": "e83650f70459a027aa596e3c961a1",
        "sha256": "d5e122606054fa0b03dbea7701e523875e2bdb87581ad7232ffc9308e"
      },
      "pid": 928,
      "executable": "C:\\Windows\\System32\\wininit.exe",
      "command_line": "wininit.exe",
      "args": [
        "wininit.exe"
      ],
      "pe": {
        "imphash": "43bbe267e83270a326a7ac134"
      },
      "entity_id": "{a65d432e-b424-5fd7-0800-00005c00}",
      "working_directory": "C:\\Windows\\system32\\",
      "parent": {
        "args": [
          "-"
        ],
        "entity_id": "{00000000-0000-0000-0000-000000000000}",
        "pid": 572,
        "executable": "-",
        "command_line": "-",
        "name": "-"
      }
    },
    "event": {
      "created": "2020-12-14T18:53:26.563Z",
      "module": "sysmon",
      "type": [
        "start",
        "process_start"
      ],
      "category": [
        "process"
      ],
      "kind": "event",
      "code": 1,
      "provider": "Microsoft-Windows-Sysmon",
      "action": "Process Create (rule: ProcessCreate)"
    },
    "host": {
      "name": "CP96"
    },
    "tags": [
      "forwarded"
    ],
    "hash": {
      "md5": "e83650aa596e1a73c961a1",
      "sha256": "d5e122606054fa81ad7232ffc9308e",
      "imphash": "43bbe267e296370a326a7ac134"
    }
  },
  "fields": {
    "@timestamp": [
      "2020-12-14T18:51:16.118Z"
    ],
    "event.created": [
      "2020-12-14T18:53:26.563Z"
    ]
  },
  "highlight": {
    "process.name": [
      "@kibana-highlighted-field@wininit.exe@/kibana-highlighted-field@"
    ],
    "event.provider": [
      "@kibana-highlighted-field@Microsoft-Windows-Sysmon@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1607971876118
  ]
}

As you can see process.parent.name has a dash as value? This is just one example, I made a list of all sysmon process events (based on imphash) of the last 7 days where process.parent.name has a '-' as value:

image
image299×600 15.8 KB

This is only a small percentage, most sysmon process events do have a value.

Checked the 7.11 version of the rule and the EQL query should indeed fix my problem. Unfortunately I will not have the time to update to 7.10.1 untill mid January.

Best regards,

Willem