T1036.009 Break Process Trees Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

Syslog
| where Timestamp > ago(24h)
| where Facility == "authpriv" or Facility == "auth" or Facility == "daemon"
| where SyslogMessage has_any ("fork", "daemon", "setsid", "double fork")
| project Timestamp, Computer, Facility, SyslogMessage;
let OrphanedProcesses = Syslog
| where Timestamp > ago(24h)
| where ProcessName !in ("systemd", "init", "cron", "atd", "sshd", "dockerd", "containerd")
| where SyslogMessage has "PPID=1" or SyslogMessage has "ppid=1"
| project Timestamp, Computer, ProcessName, SyslogMessage;
let AuditFork = Syslog
| where Timestamp > ago(24h)
| where Facility == "authpriv"
| where SyslogMessage has "type=SYSCALL" and SyslogMessage has_any ("syscall=57", "syscall=58", "syscall=56")
| project Timestamp, Computer, SyslogMessage;
union OrphanedProcesses, AuditFork
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Process: OS API Execution Syslog Linux Audit Logs

Required Tables

Syslog

False Positives

Legitimate Linux daemons that intentionally double-fork during startup (e.g., Apache httpd, nginx, postfix, named) — these are expected to run with PPID=1
System administration scripts that use 'nohup' or 'disown' to detach long-running background processes from the controlling terminal
Container runtimes (Docker, containerd, CRI-O) that fork child processes which naturally become orphaned when the parent container process exits
Cron jobs and at-scheduled tasks that fork child processes — the cron daemon itself runs with PPID=1

Splunk

spl

index=linux_audit sourcetype=linux_audit type=SYSCALL
  (syscall=57 OR syscall=58 OR syscall=56)
| stats count as ForkCount, values(exe) as Executables, values(ppid) as ParentPIDs, earliest(_time) as FirstSeen, latest(_time) as LastSeen by host, pid, auid
| where ForkCount >= 2
| eval TimeDelta=LastSeen - FirstSeen
| where TimeDelta < 5
| table host, pid, auid, ForkCount, TimeDelta, Executables, ParentPIDs, FirstSeen, LastSeen
| sort - ForkCount

medium severity medium confidence

Data Sources

Process: OS API Execution Linux Audit Logs (auditd)

Required Sourcetypes

linux_audit

False Positives

Legitimate daemon startup sequences that use the standard double-fork pattern (httpd, nginx, postfix)
System administration scripts using nohup, disown, or setsid to background processes
Container runtimes forking child processes during container lifecycle operations
Process supervisors like supervisord, systemd, or runit that manage daemon processes

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=10s
  [process where event.type == "start" and
   host.os.type == "linux" and
   process.parent.pid != 1 and
   not process.name in ("systemd", "init", "cron", "crond", "atd", "sshd", "dockerd", "containerd", "runc")]
  [process where event.type == "start" and
   host.os.type == "linux" and
   process.parent.pid == 1 and
   not process.name in ("systemd", "init", "cron", "crond", "atd", "sshd", "dockerd", "containerd", "containerd-shim", "NetworkManager", "rsyslogd", "dbus-daemon", "polkitd", "accounts-daemon", "agetty", "login")]

high severity medium confidence

Data Sources

Elastic Endpoint (auditbeat) Elastic Agent with Linux integration Auditbeat process module

Required Tables

process (ECS)

False Positives

Legitimate software that uses the POSIX double-fork convention for proper daemonization on startup (e.g., custom enterprise monitoring agents, legacy Unix services) will appear as a process reparented to PID 1 and may not be in the exclusion list.
Container runtimes such as containerd-shim and runc spawn managed container processes that can appear as direct children of init, especially in Kubernetes node environments.
System automation tools like Ansible, Puppet, or Chef that run tasks via nohup or disown to background processes will produce process reparenting events that match this sequence pattern.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP,
  "username" AS AuditUID,
  "pid" AS ProcessID,
  "ppid" AS ParentPID,
  "exe" AS Executable,
  "syscall" AS SyscallNumber,
  COUNT(*) AS ForkCount,
  MIN(starttime) AS FirstSeen,
  MAX(starttime) AS LastSeen,
  (MAX(starttime) - MIN(starttime)) / 1000 AS TimeDeltaSeconds
FROM events
WHERE LOGSOURCETYPEID IN (
  SELECT id FROM logsourcetypes WHERE name LIKE '%Linux%' OR name LIKE '%Auditd%'
)
  AND ("syscall" = '57' OR "syscall" = '58' OR "syscall" = '56')
  AND starttime > (NOW() - 86400000)
GROUP BY
  sourceip, "username", "pid", "exe", "syscall",
  TRUNCATE(starttime / 60000)
HAVING COUNT(*) >= 2
  AND (MAX(starttime) - MIN(starttime)) / 1000 <= 5
ORDER BY ForkCount DESC

high severity medium confidence

Data Sources

QRadar Linux OS log source Syslog/auditd forwarded via QRadar WinCollect or syslog source Auditbeat forwarded to QRadar via Syslog

Required Tables

events

False Positives

Web servers using pre-fork concurrency models (Apache httpd with MPM prefork, Gunicorn, Unicorn) generate multiple rapid fork() calls during worker process initialization, which will exceed the ForkCount threshold during startup or reload.
Database systems such as PostgreSQL and MySQL fork new backend processes for each incoming connection, producing high-frequency fork syscall events that will match this detection during peak load.
Build systems and parallel compilation pipelines (GNU make -j, Ninja, Bazel) fork dozens of worker processes in rapid succession during software builds and will trigger this query across CI/CD hosts.

Sumo Logic CSE

sql

_sourceCategory=linux/audit type=SYSCALL (syscall=57 OR syscall=58 OR syscall=56)
| parse "pid=* " as pid
| parse "ppid=* " as ppid
| parse regex "exe=\"(?<exe>[^\"]+)\""
| parse "auid=* " as auid
| parse "syscall=* " as syscall
| where !(exe matches "/usr/sbin/*" OR exe matches "/lib/systemd/*" OR exe matches "/usr/lib/systemd/*")
| timeslice 5s
| count as ForkCount by _timeslice, _sourceHost, pid, ppid, auid, exe
| where ForkCount >= 2
| sort by ForkCount desc
| fields _timeslice, _sourceHost, pid, ppid, auid, exe, ForkCount

high severity medium confidence

Data Sources

Sumo Logic Installed Collector on Linux hosts Sumo Logic CSE Linux Auditd data source Syslog (rsyslog or syslog-ng) forwarding auditd messages to Sumo Logic

Required Tables

linux/audit (_sourceCategory=linux/audit)

False Positives

Application servers using pre-fork worker models (Apache httpd prefork MPM, Puma, Unicorn, Gunicorn) legitimately invoke fork() multiple times during startup or hot reload, producing ForkCount values well above the threshold of 2.
Containerized workloads using runc or crun as container runtime may generate clustered fork/clone syscall events during container creation and initialization sequences that match this pattern.
Security scanning tools or vulnerability assessment frameworks that enumerate or probe processes via forked subprocesses will generate elevated fork counts across scanning hosts.

Google Chronicle / SecOps

yaral

rule t1036_009_break_process_trees {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects processes reparented to PID 1 via double-fork or daemon() syscall, indicating process tree breaking for defense evasion on Linux"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.009"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.parent_process.pid = 1
    not re.regex(
      $e.target.process.file.full_path,
      `/\b(systemd|init|crond?|atd|sshd|dockerd|containerd|containerd-shim|NetworkManager|rsyslogd|dbus-daemon|polkitd|udisksd|accounts-daemon|agetty|login|su|sudo|auditd|chronyd|ntpd|irqbalance|tuned|lvm|udevd|multipathd|mdadm|lvmetad)\b`
    )
    not re.regex(
      $e.target.process.file.full_path,
      `^/(usr/lib/systemd|lib/systemd|run/systemd|usr/lib/udev|lib/udev)/`
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM via BindPlane agent Chronicle Linux endpoint telemetry (Auditbeat or osquery) Syslog forwarded to Chronicle via Ingestion API

Required Tables

process (UDM event type PROCESS_LAUNCH)

False Positives

Third-party commercial software (enterprise monitoring agents, backup clients, AV engines) that correctly follows POSIX daemonization convention will spawn processes adopted by PID 1, and may not appear in the exclusion regex until explicitly added.
Snap and Flatpak application sandboxes managed by snapd or Flatpak subsystems can create process trees where applications appear as children of init rather than the launching shell, depending on confinement level.
Manual backgrounding of scripts using nohup or setsid by system administrators performing maintenance tasks will cause processes to be reparented to PID 1 and trigger this rule.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(bash|sh|dash|zsh|ksh|python3?|perl5?|ruby|php|node|lua)$/i
| groupBy(
    [ComputerName, UserName, TargetProcessId, FileName, CommandLine, ParentBaseFileName],
    function=[
      count(as=SpawnCount),
      min(ContextTimeStamp, as=FirstSeen),
      max(ContextTimeStamp, as=LastSeen),
      collect(ParentProcessId, as=ObservedParentPIDs)
    ]
  )
| TimeDeltaMs := LastSeen - FirstSeen
| TimeDeltaMs < 10000
| SpawnCount >= 2
| sort(SpawnCount, order=desc, limit=200)
| select([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, SpawnCount, TimeDeltaMs, FirstSeen, LastSeen, ObservedParentPIDs])

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (EDR) Falcon Data Replicator (FDR) process telemetry

Required Tables

ProcessRollup2

False Positives

Shell scripts used in CI/CD pipelines or deployment automation that launch multiple background worker processes in parallel (e.g., parallel test runners, concurrent service starters) will produce rapid back-to-back ProcessRollup2 events from a shell parent.
Python or Perl-based job dispatchers and task queue workers (Celery, Gearman) that fork child workers from a persistent daemon process will generate clustered spawn events that match this detection pattern.
Development tooling with hot-reload or watch functionality (nodemon, watchdog, entr) that restarts a subprocess immediately after detecting file changes will trigger repeated rapid process creation from an interpreter parent.

Break Process Trees

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections