Last updated
Last updated
A subset of behavioural detections come from the parent/child relationships of running processes. As a rule of thumb, the parent of a process is the process that started it. As such, a process only has one parent but can have many children. Applications such as Process Hacker visualise these relationships by their indentation.
The "details" window also shows a process' parent.
Most user applications will run as children of explorer, as that's where they're started from.
There are many parent/child relationships that are considered highly suspicious or outright malicious - one example is with our initial access payload. Since we executed a PowerShell one-liner via an Office macro, the instance of powershell.exe becomes a child of winword.exe.
Defender does a good job of blocking these because Word spawning PowerShell is not exactly common behaviour and is a well-known phishing tactic.
Here is a weaponised example:
One way around this is to find a way to execute PowerShell without it become a child of Word. A very low-effort way to do that is with COM. Remember the COM objects from the module? Well, the same can be used for local execution too. The nicer ones to use in this scenario are ShellWindows and ShellBrowserWindow, because they will both spawn processes under explorer. This a simple example of spawning a hidden PowerShell process using ShellWindows.
The arguments for the ShellExecute method are documented .
