T1036.009 Google Chronicle · YARA-L

Detect Break Process Trees in Google Chronicle

An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the parent-child relationship for detection, breaking this relationship could result in the adversary's behavior not being associated with previous process tree activity. On Linux systems, adversaries may execute a series of Native API calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the fork() API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the init system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree. Another example is using the daemon syscall to detach from the current parent process and run in the background.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.009 Break Process Trees
Canonical reference
https://attack.mitre.org/techniques/T1036/009/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1036_009_break_process_trees {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects processes reparented to PID 1 via double-fork or daemon() syscall, indicating process tree breaking for defense evasion on Linux"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.009"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.parent_process.pid = 1
    not re.regex(
      $e.target.process.file.full_path,
      `/\b(systemd|init|crond?|atd|sshd|dockerd|containerd|containerd-shim|NetworkManager|rsyslogd|dbus-daemon|polkitd|udisksd|accounts-daemon|agetty|login|su|sudo|auditd|chronyd|ntpd|irqbalance|tuned|lvm|udevd|multipathd|mdadm|lvmetad)\b`
    )
    not re.regex(
      $e.target.process.file.full_path,
      `^/(usr/lib/systemd|lib/systemd|run/systemd|usr/lib/udev|lib/udev)/`
    )

  condition:
    $e
}
high severity medium confidence

Detects Linux processes that have been reparented to PID 1 (init or systemd) and are not recognized system daemons. When malware uses the double-fork idiom or invokes the daemon() syscall, the grandchild process loses its original parent and is immediately adopted by init, appearing as a direct child of PID 1 with no traceable process ancestry. This rule fires on any such unexpected reparenting event in Chronicle UDM telemetry.

Data Sources

Google Chronicle UDM via BindPlane agentChronicle Linux endpoint telemetry (Auditbeat or osquery)Syslog forwarded to Chronicle via Ingestion API

Required Tables

process (UDM event type PROCESS_LAUNCH)

False Positives & Tuning

  • Third-party commercial software (enterprise monitoring agents, backup clients, AV engines) that correctly follows POSIX daemonization convention will spawn processes adopted by PID 1, and may not appear in the exclusion regex until explicitly added.
  • Snap and Flatpak application sandboxes managed by snapd or Flatpak subsystems can create process trees where applications appear as children of init rather than the launching shell, depending on confinement level.
  • Manual backgrounding of scripts using nohup or setsid by system administrators performing maintenance tasks will cause processes to be reparented to PID 1 and trigger this rule.
Download portable Sigma rule (.yml)

Other platforms for T1036.009

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Double Fork Process Tree Break

    Expected signal: Auditd SYSCALL records for fork/clone syscalls (57/56) from bash. The resulting 'sleep 120' process will show PPID=1 in process listings. Syslog may record the orphaned process adoption.

  2. Test 2Daemon Syscall via Python

    Expected signal: Auditd SYSCALL records for fork (57) and setsid (112) syscalls from python3. The grandchild python3 process will show PPID=1 and a new session ID (SID) in process status. /proc/<pid>/status will show PPid=1.

  3. Test 3Nohup Background Process Detachment

    Expected signal: Auditd SYSCALL records for fork/clone from bash, followed by the nohup process. The sleep process may show PPID=1 after the parent shell exits. Process creation event from Sysmon for Linux (if deployed) shows nohup spawning sleep.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.011Overwrite Process ArgumentsT1106Native APIT1014RootkitT1205.002Socket FiltersT1059.004Unix ShellT1543.002Systemd Service

Same Tactic: Defense Evasion

Popular Detections