Parent Process PID Spoofing
Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/14"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID)
13of a new process to evade process-monitoring defenses or to elevate privileges.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Parent Process PID Spoofing"
20references = ["https://blog.didierstevens.com/2017/03/20/"]
21risk_score = 73
22rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2"
23severity = "high"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
25type = "eql"
26
27query = '''
28/* This rule is compatible with Elastic Endpoint only */
29
30sequence by host.id, user.id with maxspan=3m
31
32 [process where host.os.type == "windows" and event.type == "start" and
33 process.Ext.token.integrity_level_name != "system" and
34 (
35 process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe",
36 "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe",
37 "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe",
38 "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or
39
40 (process.executable : ("?:\\Users\\*.exe",
41 "?:\\ProgramData\\*.exe",
42 "?:\\Windows\\Temp\\*.exe",
43 "?:\\Windows\\Tasks\\*") and
44 (process.code_signature.exists == false or process.code_signature.status : "errorBadDigest")) or
45
46 process.executable : "?:\\Windows\\Microsoft.NET\\*.exe"
47 ) and
48
49 not process.executable :
50 ("?:\\Windows\\System32\\WerFaultSecure.exe",
51 "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
52 "?:\\Windows\\System32\\WerFault.exe",
53 "?:\\Windows\\SysWOW64\\WerFault.exe")
54 ] by process.pid
55 [process where host.os.type == "windows" and event.type == "start" and
56 process.parent.Ext.real.pid > 0 and
57
58 /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */
59 not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") and
60
61 not process.executable :
62 ("?:\\Windows\\System32\\WerFaultSecure.exe",
63 "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
64 "?:\\Windows\\System32\\WerFault.exe",
65 "?:\\Windows\\SysWOW64\\WerFault.exe")
66 ] by process.parent.Ext.real.pid
67'''
68
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1134"
74name = "Access Token Manipulation"
75reference = "https://attack.mitre.org/techniques/T1134/"
76[[rule.threat.technique.subtechnique]]
77id = "T1134.004"
78name = "Parent PID Spoofing"
79reference = "https://attack.mitre.org/techniques/T1134/004/"
80
81
82
83[rule.threat.tactic]
84id = "TA0005"
85name = "Defense Evasion"
86reference = "https://attack.mitre.org/tactics/TA0005/"
87
88
89[[rule.threat]]
90framework = "MITRE ATT&CK"
91[[rule.threat.technique]]
92id = "T1134"
93name = "Access Token Manipulation"
94reference = "https://attack.mitre.org/techniques/T1134/"
95[[rule.threat.technique.subtechnique]]
96id = "T1134.004"
97name = "Parent PID Spoofing"
98reference = "https://attack.mitre.org/techniques/T1134/004/"
99
100
101
102[rule.threat.tactic]
103id = "TA0004"
104name = "Privilege Escalation"
105reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Bypass UAC via Event Viewer
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Expired or Revoked Driver Loaded
- Service Control Spawned via Script Interpreter