Parent Processes

[Patrick Olsen]

Hello,

Maybe I missed this.... Is there a way to specify a parent process name vs. PPID? I get that I can do System (PID 4) as the parent process via its PID, but I would like to setup parent/child relationships via names.

Thank you,

Patrick

[Devon Kerr (Mandiant)]

Patrick, what you’re looking for is ProcessItem > ProcessParentPID.

--
You received this message because you are subscribed to the Google Groups "OpenIOC" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openioc+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Patrick Olsen]

So I can use a named value for that as well? I guess I saw that value and assumed I needed the PID number.

--
v/r,
 
Patrick Olsen

[Devon Kerr (Mandiant)]

Derp – I misunderstood, that would be the parent process ID, not the name of the parent process.

 

Which is kind of odd, because the parent process ID is likely to be variable, at least to some degree, while the parent process name would probably be less likely to be variable.

[Patrick Olsen]

No problem. I was looking at building a whitelist of sorts for core windows processes.

For example...

Parent Process Name = wininit.exe

Child Process = lsass.exe

Process path = %systemroot%\System32\lsass.exe

SID = S-1-5-18

Where the PPIDs wouldn't be static. I can hack around it with other rules I guess, but figured I would ask in case I wasn't seeing something.

--
v/r,
 
Patrick Olsen