← Back to Explore
T1036.009
Break Process Trees
An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the “parent-child" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 202...
LinuxmacOS
6
Detections
2
Sources
0
Threat Actors
BY SOURCE
4elastic2splunk_escu
PROCEDURES (5)
Unusual2 detections
Auto-extracted: 2 detections for unusual
General Monitoring1 detections
Auto-extracted: 1 detections for general monitoring
Suspicious1 detections
Auto-extracted: 1 detections for suspicious
Masquerad1 detections
Auto-extracted: 1 detections for masquerad
Suspicious1 detections
Auto-extracted: 1 detections for suspicious
DETECTIONS (6)
Process Backgrounded by Unusual Parent
elasticlow
Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners
elasticmedium
Unusual Execution from Kernel Thread (kthreadd) Parent
elasticmedium
Unusual Parent-Child Relationship
elasticmedium
Windows Svchost.exe Parent Process Anomaly
splunk_escu
Windows Unusual SysWOW64 Process Run System32 Executable
splunk_escu