Parent Process PID Spoofing

  1[metadata]
  2creation_date = "2021/07/14"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID)
 11of a new process to evade process-monitoring defenses or to elevate privileges.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Parent Process PID Spoofing"
 18references = [
 19    "https://blog.didierstevens.com/2017/03/20/",
 20    "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit",
 21]
 22risk_score = 73
 23rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2"
 24severity = "high"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: Windows",
 28    "Use Case: Threat Detection",
 29    "Tactic: Defense Evasion",
 30    "Tactic: Privilege Escalation",
 31    "Data Source: Elastic Defend",
 32    "Resources: Investigation Guide",
 33]
 34type = "eql"
 35
 36query = '''
 37/* This rule is compatible with Elastic Endpoint only */
 38
 39sequence by host.id, user.id with maxspan=3m
 40
 41 [process where host.os.type == "windows" and event.type == "start" and
 42  process.Ext.token.integrity_level_name != "system" and
 43  (
 44    process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe",
 45                                     "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe",
 46                                     "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe",
 47                                     "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or
 48
 49    (process.executable : ("?:\\Users\\*.exe",
 50                           "?:\\ProgramData\\*.exe",
 51                           "?:\\Windows\\Temp\\*.exe",
 52                           "?:\\Windows\\Tasks\\*") and
 53      (process.code_signature.exists == false or process.code_signature.status : "errorBadDigest")) or
 54
 55    process.executable : "?:\\Windows\\Microsoft.NET\\*.exe"
 56  ) and
 57
 58  not process.executable :
 59             ("?:\\Windows\\System32\\WerFaultSecure.exe",
 60              "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
 61              "?:\\Windows\\System32\\WerFault.exe",
 62              "?:\\Windows\\SysWOW64\\WerFault.exe")
 63  ] by process.pid
 64 [process where host.os.type == "windows" and event.type == "start" and
 65  process.parent.Ext.real.pid > 0 and
 66
 67  /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */
 68  not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") and
 69
 70   not process.executable :
 71             ("?:\\Windows\\System32\\WerFaultSecure.exe",
 72              "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
 73              "?:\\Windows\\System32\\WerFault.exe",
 74              "?:\\Windows\\SysWOW64\\WerFault.exe")
 75 ] by process.parent.Ext.real.pid
 76'''
 77note = """## Triage and analysis
 78
 79> **Disclaimer**:
 80> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 81
 82### Investigating Parent Process PID Spoofing
 83
 84Parent Process PID Spoofing involves manipulating the parent process identifier to disguise the origin of a process, often to bypass security measures or gain elevated privileges. Adversaries exploit this by launching processes with falsified parent PIDs, making them appear benign. The detection rule identifies such anomalies by monitoring process creation events, focusing on unexpected parent-child relationships and unsigned executables, thus flagging potential spoofing attempts.
 85
 86### Possible investigation steps
 87
 88- Review the process creation event details to identify the specific executable and its path that triggered the alert. Pay attention to the process.executable field to determine if it matches any suspicious patterns like "?:\\\\Users\\\\*.exe" or "?:\\\\Windows\\\\Temp\\\\*.exe".
 89- Check the process.parent.Ext.real.pid field to confirm if the parent process PID has been spoofed. Investigate the legitimacy of the parent process by examining its name and executable path.
 90- Analyze the process.code_signature.status field to determine if the executable is unsigned or has a bad digest, which could indicate tampering or a lack of authenticity.
 91- Investigate the user context by reviewing the user.id field to understand which user account was associated with the process creation. This can help determine if the activity aligns with expected user behavior.
 92- Correlate the process creation event with other related events on the same host.id within the maxspan of 3 minutes to identify any additional suspicious activities or patterns.
 93- Examine the integrity level of the process using the process.Ext.token.integrity_level_name field to assess if the process is running with elevated privileges unexpectedly.
 94- Cross-reference the process with known legitimate applications by checking if the process.pe.original_file_name matches common applications like "winword.exe" or "powershell.exe" to rule out false positives.
 95
 96### False positive analysis
 97
 98- Processes like msedge.exe with sihost.exe as the parent may trigger false positives. Consider adding exceptions for these specific parent-child relationships if they are common in your environment.
 99- Executables located in user directories or temporary folders may be flagged if they lack valid code signatures. Regularly review and whitelist known benign applications that operate from these paths.
100- Processes with a parent PID mismatch due to legitimate software updates or installations can be mistaken for spoofing. Monitor and document such activities to refine detection rules and reduce false alerts.
101- WerFault.exe and its variants are excluded by default, but if other legitimate system processes are frequently flagged, consider expanding the exclusion list to include them.
102- Regularly update the list of known safe executables and their expected parent processes to ensure the rule remains effective without generating unnecessary alerts.
103
104### Response and remediation
105
106- Isolate the affected host immediately to prevent further spread of the threat. Disconnect the host from the network to contain any potential malicious activity.
107- Terminate any suspicious processes identified by the alert, especially those with spoofed parent PIDs or unsigned executables, to halt any ongoing malicious actions.
108- Conduct a thorough review of the affected system's process tree and logs to identify any additional malicious processes or indicators of compromise that may have been missed.
109- Restore the affected system from a known good backup if any critical system files or configurations have been altered by the threat.
110- Update and patch the affected system to the latest security standards to close any vulnerabilities that may have been exploited by the adversary.
111- Implement enhanced monitoring on the affected host and similar systems to detect any recurrence of the threat, focusing on process creation events and parent-child process relationships.
112- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
113
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117[[rule.threat.technique]]
118id = "T1134"
119name = "Access Token Manipulation"
120reference = "https://attack.mitre.org/techniques/T1134/"
121[[rule.threat.technique.subtechnique]]
122id = "T1134.004"
123name = "Parent PID Spoofing"
124reference = "https://attack.mitre.org/techniques/T1134/004/"
125
126
127
128[rule.threat.tactic]
129id = "TA0005"
130name = "Defense Evasion"
131reference = "https://attack.mitre.org/tactics/TA0005/"
132[[rule.threat]]
133framework = "MITRE ATT&CK"
134[[rule.threat.technique]]
135id = "T1134"
136name = "Access Token Manipulation"
137reference = "https://attack.mitre.org/techniques/T1134/"
138[[rule.threat.technique.subtechnique]]
139id = "T1134.004"
140name = "Parent PID Spoofing"
141reference = "https://attack.mitre.org/techniques/T1134/004/"
142
143
144
145[rule.threat.tactic]
146id = "TA0004"
147name = "Privilege Escalation"
148reference = "https://attack.mitre.org/tactics/TA0004/"