Skip to content

DET0443 Detection Strategy for Masquerading via Breaking Process Trees

Item Value
ID DET0443
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1036.009 (Break Process Trees)

Analytics

Linux

AN1223

Detects anomalous process execution patterns where a process’s parent terminates quickly after process creation or is re-parented to ‘init’ (PID 1), often indicating double-fork or daemon-style detachment. These behaviors sever the parent-child relationship and obscure the execution origin in process tree analysis.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) auditd:SYSCALL fork/clone/daemon syscall tracing
Process Creation (DC0032) auditd:SYSCALL execve of re-parented process
Mutable Elements
Field Description
TimeWindow Maximum time between parent and child process creation and parent process termination
ReparentingDetectionScope Scope for detecting unexpected re-parenting to init/systemd
ExecutableScope Subset of monitored executables or services likely to abuse double-fork

macOS

AN1224

Detects execution patterns where a child process is detached from its original parent, often showing up under ‘launchd’ (PID 1) with no parent lineage. These breakages in the process tree are indicative of evasive techniques using daemon(), fork() or background execution flags.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog Process creation with parent PID of 1 (launchd)
OS API Execution (DC0021) fs:fsusage Detached process execution with no associated parent
Mutable Elements
Field Description
AnomalyParentPID Triggering PID used to flag abnormal child adoption (commonly PID 1)
AllowedServices Allowlist of background daemons legitimately using launchd as parent
ProcessNameEntropy Entropy score threshold for abnormal process names in detached state