Skip to content

T1036.009 Break Process Trees

An adversary may attempt to evade process tree-based analysis by modifying executed malware’s parent process ID (PPID). If endpoint protection software leverages the “parent-child” relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.1

On Linux systems, adversaries may execute a series of Native API calls to alter malware’s process tree. For example, adversaries can execute their payload without any arguments, call the fork() API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the init system process (PID 1), which successfully disconnects the execution of the adversary’s payload from its previous process tree.

Another example is using the “daemon” syscall to detach from the current parent process and run in the background.32

Item Value
ID T1036.009
Sub-techniques T1036.001, T1036.002, T1036.003, T1036.004, T1036.005, T1036.006, T1036.007, T1036.008, T1036.009, T1036.010, T1036.011, T1036.012
Tactics TA0005
Platforms Linux, macOS
Version 1.0
Created 27 September 2023
Last Modified 15 April 2025

Procedure Examples

ID Name Description
S1161 BPFDoor After initial execution, BPFDoor forks itself and runs the fork with the --init flag, which allows it to execute secondary clean up operations. The parent process terminates leaving the forked process to be inherited by the legitimate process init.3

References

  1. Juan Tapiador. (2022, April 11). UNIX daemonization and the double fork. Retrieved September 29, 2023. 

  2. Microsoft Threat Intelligence. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023. 

  3. The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.