An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the "parent-child" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.[1]
On Linux systems, adversaries may execute a series of Native API calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the fork() API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the init system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree.
Another example is using the "daemon" syscall to detach from the current parent process and run in the background.[2][3]
| ID | Name | Description |
|---|---|---|
| S1161 | BPFDoor |
After initial execution, BPFDoor forks itself and runs the fork with the |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0443 | Detection Strategy for Masquerading via Breaking Process Trees | AN1223 |
Detects anomalous process execution patterns where a process's parent terminates quickly after process creation or is re-parented to 'init' (PID 1), often indicating double-fork or daemon-style detachment. These behaviors sever the parent-child relationship and obscure the execution origin in process tree analysis. |
| AN1224 |
Detects execution patterns where a child process is detached from its original parent, often showing up under 'launchd' (PID 1) with no parent lineage. These breakages in the process tree are indicative of evasive techniques using |