This note documents detection patterns related to suspicious parent-child process relationships within Windows environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Security	4688	Process creation	Critical	Primary Windows audit source. Contains parent PID, child PID, creator SID, command line, and token context.
Sysmon	1	Process creation	Critical	Best host telemetry. Includes parent image, child image, hashes, integrity level, GUID linkage.
EDR Telemetry	N/A	Process tree lineage	Critical	Highest-value source for full ancestry and lateral correlation across process generations.
Sysmon	5	Process terminated	Medium	Useful when attacker launches short-lived shells or one-shot payloads.
Sysmon	7	Image loaded	Medium	Supports DLL sideloading, injection, and LOLBIN context when suspicious child appears.
Security	4624	Successful logon	High	Correlate interactive or remote logon immediately preceding suspicious chain.
Security	4672	Privileged logon	High	Elevated token often precedes service abuse or administrative shell spawn.
PowerShell	4104	Script block logging	Critical	If PowerShell appears as child, often reveals exact payload.
WMI Activity	5857 / 5858	WMI provider activity	High	Critical when `wmiprvse.exe` is parent.
Task Scheduler Operational	106 / 140 / 200	Task execution	High	Important when `taskhostw.exe` or `schtasks.exe` appears in chain.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Office spawning shell	`winword.exe -> powershell.exe`	Critical	Strong macro or malicious document signal.
Browser spawning shell	`chrome.exe -> cmd.exe`	Critical	Exploit chain or downloaded payload execution.
Service spawning shell	`services.exe -> cmd.exe`	Critical	Often persistence or service abuse.
svchost spawning shell	`svchost.exe -> powershell.exe`	Critical	Rare and highly suspicious outside narrow service contexts.
WMI execution	`wmiprvse.exe -> cmd.exe`	Critical	Common remote execution primitive.
Scheduled task payload	`taskhostw.exe -> powershell.exe`	High	Persistence or delayed execution.
Script engine chain	`wscript.exe -> powershell.exe`	High	Fileless or staged execution.
LOLBIN proxy chain	`mshta.exe -> powershell.exe`	Critical	Living-off-the-land execution chain.
High-risk system parent	`lsass.exe`, `winlogon.exe`, `smss.exe` spawning children	Critical	Rare under legitimate operation.
Parent-child mismatch by integrity	Medium integrity parent launching SYSTEM child unexpectedly	High	Token theft or abuse possible.

Common Tools

Tool	Usage
PowerShell	Launches payloads, downloads, encodes commands, spawns child LOLBINs
cmd.exe	Common shell bridge between stages
WMIC	Remote execution and process spawn
schtasks.exe	Task-triggered child execution
sc.exe	Service-based process spawn
mshta.exe	Proxy execution
rundll32.exe	DLL execution
regsvr32.exe	Squiblydoo / scriptlet execution
Office Macros	Parent for malicious child shells
Cobalt Strike	Common suspicious process trees
Empire	Heavy use of PowerShell child chains

Relevant Artifacts

Security Event ID 4688
Sysmon Event ID 1
Sysmon Event ID 5
Sysmon Event ID 7
PowerShell 4104
Security 4624 / 4672
Prefetch for parent + child binaries
Amcache execution evidence
ShimCache historical execution
EDR lineage graphs
WMI Activity logs if wmiprvse.exe
Scheduled Task logs if taskhostw.exe
Service Control Manager logs if services.exe
MFT / USN for payload dropped before spawn

MITRE ATT&CK References

T1059 Command and Scripting Interpreter
T1204 User Execution
T1047 Windows Management Instrumentation
T1053 Scheduled Task
T1547 Boot or Logon Autostart Execution
T1218 Signed Binary Proxy Execution
T1543 Create or Modify System Process

Decision Tree

What process spawned the suspicious child?
- Identify parent image
- Check parent integrity
- Check parent signer
Is parent expected to spawn children?
- Normal baseline?
- Rare but legitimate?
- Highly abnormal?
Is child a shell or LOLBIN?
- cmd.exe
- powershell.exe
- rundll32.exe
- regsvr32.exe
- mshta.exe
Inspect command line
- Encoded command
- Network retrieval
- Hidden window
- Service creation
- Credential access
Pivot to execution source
- Office?
- Browser?
- WMI?
- Service?
- Task?
Expand scope
- Additional children
- Network connections
- Persistence artifacts
- User context

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4688
| where ParentProcessName has_any ("winword.exe","excel.exe","outlook.exe","wmiprvse.exe","services.exe","svchost.exe","mshta.exe","regsvr32.exe")
| where NewProcessName has_any ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","bitsadmin.exe","certutil.exe")
| project TimeGenerated, Computer, Account, ParentProcessName, NewProcessName, CommandLine

Sysmon
| where EventID == 1
| where ParentImage has_any ("\\winword.exe","\\excel.exe","\\wmiprvse.exe","\\services.exe","\\svchost.exe")
| where Image has_any ("\\powershell.exe","\\cmd.exe","\\mshta.exe","\\rundll32.exe")
| project TimeGenerated, Computer, ParentImage, Image, CommandLine

EQL

process where
  process.parent.name in ("winword.exe","excel.exe","wmiprvse.exe","services.exe","svchost.exe")
  and process.name in ("powershell.exe","cmd.exe","mshta.exe","rundll32.exe")

sequence by host.name with maxspan=3m
  [ process where process.parent.name == "winword.exe" ]
  [ process where process.name == "powershell.exe" ]

Sigma

title: Suspicious Parent Child Process Relationship
id: 7d8c2f11-parent-child-anomaly
status: experimental
description: Detects suspicious parent-child process combinations frequently used during malware execution and persistence
references:
  - https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
  product: windows
  service: sysmon
detection:
  parent_selection:
    ParentImage|endswith:
      - '\winword.exe'
      - '\excel.exe'
      - '\wmiprvse.exe'
      - '\services.exe'
      - '\svchost.exe'
  child_selection:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\mshta.exe'
      - '\rundll32.exe'
  condition: parent_selection and child_selection
fields:
  - ParentImage
  - Image
  - CommandLine
falsepositives:
  - Administrative scripting
  - Enterprise automation
level: high
tags:
  - attack.execution
  - attack.persistence

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Sysmon coverage	Enable Event 1 everywhere	Critical	Core lineage visibility
PowerShell logging	Enable 4104	Critical	Essential for child PowerShell analysis
Application Control	AppLocker / WDAC	Critical	Restricts LOLBIN abuse
Office macro controls	Disable unsigned macros	High	Major reduction of malicious parent chains
Service monitoring	Alert when services spawn shells	Critical	Detect persistence quickly
EDR lineage retention	Preserve long trees	Critical	Enables ancestry reconstruction

Suspicious Parent → Child Patterns

Parent Process	Child Process	Typical Attack Scenario	MITRE Technique	Forensic Value
winword.exe	powershell.exe	Macro launching payload	T1059.001	Critical
winword.exe	cmd.exe	Macro shell	T1204	Critical
winword.exe	mshta.exe	HTA execution	T1218.005	Critical
excel.exe	powershell.exe	Spreadsheet macro payload	T1059	Critical
outlook.exe	cmd.exe	Attachment execution	T1204	Critical
chrome.exe	powershell.exe	Browser exploit / payload	T1203	Critical
svchost.exe	cmd.exe	Service abuse	T1059	Critical
services.exe	powershell.exe	Service persistence	T1543	Critical
spoolsv.exe	cmd.exe	Print spooler exploitation	T1059	Critical
lsass.exe	cmd.exe	Credential tooling anomaly	T1003	Critical
winlogon.exe	powershell.exe	Logon persistence	T1547	Critical
taskhostw.exe	powershell.exe	Scheduled task execution	T1053	High
wmiprvse.exe	cmd.exe	WMI remote execution	T1047	Critical
dllhost.exe	powershell.exe	COM abuse	T1546	High
mshta.exe	powershell.exe	LOLBIN staging	T1218.005	Critical
regsvr32.exe	cmd.exe	Proxy execution	T1218.010	Critical
powershell.exe	certutil.exe	Payload retrieval / decode	T1105	High
cmd.exe	nltest.exe	Domain discovery	T1018	High
wmic.exe	powershell.exe	Remote PowerShell	T1047	Critical
schtasks.exe	cmd.exe	Task persistence	T1053	Critical
msiexec.exe	powershell.exe	Installer abuse	T1218.007	High

Known Legitimate Baseline Relationships

Parent Process	Child Process	Execution Phase	Purpose	Forensic Notes
System (PID 4)	smss.exe	Boot	Session manager	First user-mode process
smss.exe	csrss.exe	Boot	Runtime subsystem	Core OS baseline
smss.exe	wininit.exe	Boot	Core initialization	Normal
smss.exe	winlogon.exe	Logon	Session manager	Normal
wininit.exe	services.exe	Boot	SCM	Normal
wininit.exe	lsass.exe	Boot	Authentication	Normal
services.exe	svchost.exe	Runtime	Service hosting	Normal
services.exe	spoolsv.exe	Runtime	Print service	Normal
services.exe	wmiprvse.exe	Runtime	WMI host	Normal
winlogon.exe	userinit.exe	Logon	User environment	Normal
userinit.exe	explorer.exe	Session	Desktop shell	Normal
explorer.exe	powershell.exe	User session	Interactive admin use	Context dependent

Core Boot Chain

System (PID 4)
   └ smss.exe
        ├ csrss.exe
        ├ wininit.exe
        │     ├ services.exe
        │     │     └ svchost.exe
        │     ├ lsass.exe
        │     └ lsm.exe
        └ winlogon.exe
              └ userinit.exe
                    └ explorer.exe

High-Risk System Processes

Process	Why Important	Suspicious If Spawns
lsass.exe	Credential authority	cmd, powershell
winlogon.exe	Authentication	shells
services.exe	Service manager	interactive shells
svchost.exe	Service host	shell tools
spoolsv.exe	Print service	shells
csrss.exe	Core subsystem	almost anything
smss.exe	Session manager	almost anything

Suspicious Relationships

Direct Indicators

Indirect Indicators

Common Tools

Relevant Artifacts

MITRE ATT&CK References

Decision Tree

Example Detection Templates

KQL

EQL

Sigma

Mitigation & Hardening

Suspicious Parent → Child Patterns

Known Legitimate Baseline Relationships

Core Boot Chain

High-Risk System Processes