The security industry has historically relied on monitoring parent-child process trees to identify malicious execution. If Microsoft Word spawns a command shell, a static rule triggers. However, advanced adversaries - particularly those operating in high-stakes financial and telecommunications sectors - are fully aware of these static registries.
To evade detection, threat actors leverage Living-off-the-Land (LotL) binaries to blend into benign administrative noise. When combined with unbacked memory injection, adversaries successfully sever the visible lineage, rendering traditional path-based whitelisting and static rule registries dead. Modern detection engineering requires a shift toward mathematical baselines fused with Entity-Relationship (ER) graphs and LLM reasoning loops.
The Adversarial Mutation: Severing the Tree
Attackers continuously mutate their execution chains. Instead of dropping custom malware, they abuse native utilities (like cmd.exe or powershell.exe) spawned from highly variable, yet legitimate, parent processes (like w3wp.exe or tomcat.exe). To further disguise their intent, they inject payloads into the memory space of critical system processes, such as lsass.exe, to dump credentials without creating a suspicious child process.
When the call stack originates from unbacked memory (memory not backed by a file on disk) or non-system module paths, standard EDR parent-child tracking fails. The lineage is technically broken, and the attack proceeds in the blind spots of static logic.
The Strategy: Transition Probabilities & Call Stack Fusion
To counter this, we must combine process co-occurrence probabilities with call stack telemetry.
Instead of asking, "Is this process bad?" we must ask, "What is the mathematical probability of this specific process transition occurring in this environment?"
We define the transition probability of a child process executing given parent process as:
P(C|P) = [ Count(P → C) ] / [ Σᵢ Count(P → Cᵢ) ]
Where Cᵢ represents all unique child processes spawned by parent P.
By calculating these transition frequencies dynamically, we establish a host-level baseline. If a network daemon spawns a shell where the transition probability is P(C|P) < 10^{-4}, we have identified a statistical anomaly.
However, low probability alone can generate administrative noise. We must fuse this finding with memory access telemetry. We correlate the low-probability transition with process access requests (e.g., PROCESS_VM_READ) where the CallTrace stack references unknown or unbacked memory locations outside of standard system directories.
The Entity-Relationship LLM Detection Loop
Feeding raw log strings into an LLM is expensive, context-heavy, and inefficient. Instead, we orchestrate a highly scalable detection loop by converting the endpoint telemetry into Graphs.
- State Extraction: Parse the telemetry into core entities: [w3wp.exe] and [cmd.exe].
- Relationship Mapping: Define the interaction edge: SPAWNS.
- Statistical Enrichment: Attach our computed mathematical models directly to the edge: [Transition Probability: 0.0001].
- Memory Enrichment: Attach call stack traits to the target entity: [Unbacked Memory Allocation: True].
We then pass this enriched sub-graph to the LLM with a highly specific reasoning prompt.
System Prompt Directive: "You are an autonomous detection engineer. Analyze this sub-graph. The transition probability between [w3wp.exe] and [cmd.exe] is statistically anomalous, and the spawned process initiated a memory allocation request from an unbacked module. Identify if this represents a known permutation of a living-off-the-land execution chain or a benign administrative mutation. Output your confidence score and the MITRE technique mapping."
Strategic Implementation Matrix
Organizations can operationalize this math-driven architecture without relying on fragile signatures.
| Phase | Strategic Implementation |
|---|---|
| Preventive | Restrict native shell binaries from executing under low-probability parent processes via application control policies. |
| Detective | Compute rolling transition probabilities and flag executions that deviate from established baselines, explicitly auditing call stacks for non-system module paths. |
| Corrective | Deploy automated response playbooks that terminate anomalous child processes when both transition probability is low and unbacked memory is detected. |
| Compensative | Enforce continuous auditing and local event forwarding for host systems exhibiting frequent, unpredictable process transitions. |