Detects anomalous process execution patterns where a process's parent terminates quickly after process creation or is re-parented to 'init' (PID 1), often indicating double-fork or daemon-style detachment. These behaviors sever the parent-child relationship and obscure the execution origin in process tree analysis.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | auditd:SYSCALL | fork/clone/daemon syscall tracing |
| Process Creation (DC0032) | auditd:SYSCALL | execve of re-parented process |
| Field | Description |
|---|---|
| TimeWindow | Maximum time between parent and child process creation and parent process termination |
| ReparentingDetectionScope | Scope for detecting unexpected re-parenting to init/systemd |
| ExecutableScope | Subset of monitored executables or services likely to abuse double-fork |
Detects execution patterns where a child process is detached from its original parent, often showing up under 'launchd' (PID 1) with no parent lineage. These breakages in the process tree are indicative of evasive techniques using daemon(), fork() or background execution flags.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Process creation with parent PID of 1 (launchd) |
| OS API Execution (DC0021) | fs:fsusage | Detached process execution with no associated parent |
| Field | Description |
|---|---|
| AnomalyParentPID | Triggering PID used to flag abnormal child adoption (commonly PID 1) |
| AllowedServices | Allowlist of background daemons legitimately using launchd as parent |
| ProcessNameEntropy | Entropy score threshold for abnormal process names in detached state |