From dc7053f4f5be03b7e7ef35bf8659a0cb96b80a69 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Mon, 29 Sep 2025 18:58:11 +0200
Subject: [PATCH] feat(rules): Suspicious protected process spawned

Identifies when a non-SYSTEM process spawns a protected child process. This indicates an unusual behavior that is often associated with attempts to tamper with or freeze endpoint protection components.
---
 ...n_suspicious_protected_process_spawned.yml | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 rules/defense_evasion_suspicious_protected_process_spawned.yml

diff --git a/rules/defense_evasion_suspicious_protected_process_spawned.yml b/rules/defense_evasion_suspicious_protected_process_spawned.yml
new file mode 100644
index 000000000..493b5a847
--- /dev/null
+++ b/rules/defense_evasion_suspicious_protected_process_spawned.yml
@@ -0,0 +1,43 @@
+name: Suspicious protected process spawned
+id: a778295a-02f1-42d9-9c20-78346a7bc2c6
+version: 1.0.0
+description: |
+  Identifies when a non-SYSTEM process spawns a protected child process. This indicates an 
+  unusual behavior that is often associated with attempts to tamper with or freeze endpoint 
+  protection components.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1562
+  technique.name: Impair Defenses
+  technique.ref: https://attack.mitre.org/techniques/T1562/
+  subtechnique.id: T1562.001
+  subtechnique.name: Disable or Modify Tools
+  subtechnique.ref: https://attack.mitre.org/techniques/T1562/001
+references:
+  - https://github.com/TwoSevenOneT/EDR-Freeze
+
+condition: >
+  spawn_process and ps.child.is_protected = true and ps.token.integrity_level != 'SYSTEM'
+    and
+  pe.cert.issuer not imatches
+    (
+      '*Microsoft Windows*',
+      '*Microsoft Corporation*',
+      '*CrowdStrike, Inc*',
+      '*Sentinel Labs, Inc*',
+      '*SentinelOne Inc*',
+      '*Sophos Ltd*',
+      '*Symantec Corporation*',
+      '*Palo Alto Networks*',
+      '*Trend Micro, Inc*'
+    )
+action:
+  - name: kill
+
+output: >
+  Suspicious protected process %ps.child.exe spawned by non-system process %ps.exe
+severity: high
+
+min-engine-version: 3.0.0