Detect Break Process Trees in Splunk
An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the parent-child relationship for detection, breaking this relationship could result in the adversary's behavior not being associated with previous process tree activity. On Linux systems, adversaries may execute a series of Native API calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the fork() API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the init system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree. Another example is using the daemon syscall to detach from the current parent process and run in the background.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.009 Break Process Trees
- Canonical reference
- https://attack.mitre.org/techniques/T1036/009/
SPL Detection Query
index=linux_audit sourcetype=linux_audit type=SYSCALL
(syscall=57 OR syscall=58 OR syscall=56)
| stats count as ForkCount, values(exe) as Executables, values(ppid) as ParentPIDs, earliest(_time) as FirstSeen, latest(_time) as LastSeen by host, pid, auid
| where ForkCount >= 2
| eval TimeDelta=LastSeen - FirstSeen
| where TimeDelta < 5
| table host, pid, auid, ForkCount, TimeDelta, Executables, ParentPIDs, FirstSeen, LastSeen
| sort - ForkCountDetects rapid consecutive fork/clone/vfork syscalls from the same process, which is the hallmark of the double-fork technique used to break process trees. On x86_64 Linux, fork=57, clone=56, vfork=58. Filters for processes that call fork 2+ times within 5 seconds, which indicates intentional process tree manipulation rather than normal daemon startup. Correlates with auditd SYSCALL records to identify the executable and user context.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate daemon startup sequences that use the standard double-fork pattern (httpd, nginx, postfix)
- System administration scripts using nohup, disown, or setsid to background processes
- Container runtimes forking child processes during container lifecycle operations
- Process supervisors like supervisord, systemd, or runit that manage daemon processes
Other platforms for T1036.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Double Fork Process Tree Break
Expected signal: Auditd SYSCALL records for fork/clone syscalls (57/56) from bash. The resulting 'sleep 120' process will show PPID=1 in process listings. Syslog may record the orphaned process adoption.
- Test 2Daemon Syscall via Python
Expected signal: Auditd SYSCALL records for fork (57) and setsid (112) syscalls from python3. The grandchild python3 process will show PPID=1 and a new session ID (SID) in process status. /proc/<pid>/status will show PPid=1.
- Test 3Nohup Background Process Detachment
Expected signal: Auditd SYSCALL records for fork/clone from bash, followed by the nohup process. The sleep process may show PPID=1 after the parent shell exits. Process creation event from Sysmon for Linux (if deployed) shows nohup spawning sleep.
References (7)
- https://attack.mitre.org/techniques/T1036/009/
- https://0xjet.github.io/3OHA/2022/04/11/post.html
- https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
- https://man7.org/linux/man-pages/man2/fork.2.html
- https://man7.org/linux/man-pages/man3/daemon.3.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.009/T1036.009.md
Unlock Pro Content
Get the full detection package for T1036.009 including response playbook, investigation guide, and atomic red team tests.