Parent Process PID Spoofing

Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/07/14"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID)
13of a new process to evade process-monitoring defenses or to elevate privileges.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Parent Process PID Spoofing"
20references = ["https://blog.didierstevens.com/2017/03/20/"]
21risk_score = 73
22rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2"
23severity = "high"
24tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
25type = "eql"
26
27query = '''
28/* This rule is compatible with Elastic Endpoint only */
29
30sequence by host.id, user.id with maxspan=3m 
31
32 [process where host.os.type == "windows" and event.type == "start" and
33  process.Ext.token.integrity_level_name != "system" and 
34  (
35    process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe",
36                                     "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe",
37                                     "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe",
38                                     "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or 
39                                     
40    (process.executable : ("?:\\Users\\*.exe",
41                           "?:\\ProgramData\\*.exe",
42                           "?:\\Windows\\Temp\\*.exe",
43                           "?:\\Windows\\Tasks\\*") and 
44      (process.code_signature.exists == false or process.code_signature.status : "errorBadDigest")) or 
45                          
46    process.executable : "?:\\Windows\\Microsoft.NET\\*.exe"                      
47  ) and 
48  
49  not process.executable : 
50             ("?:\\Windows\\System32\\WerFaultSecure.exe", 
51              "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
52              "?:\\Windows\\System32\\WerFault.exe",
53              "?:\\Windows\\SysWOW64\\WerFault.exe")
54  ] by process.pid
55 [process where host.os.type == "windows" and event.type == "start" and
56  process.parent.Ext.real.pid > 0 and 
57 
58  /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */
59  not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") and 
60  
61   not process.executable : 
62             ("?:\\Windows\\System32\\WerFaultSecure.exe", 
63              "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
64              "?:\\Windows\\System32\\WerFault.exe",
65              "?:\\Windows\\SysWOW64\\WerFault.exe")
66 ] by process.parent.Ext.real.pid
67'''
68
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1134"
74name = "Access Token Manipulation"
75reference = "https://attack.mitre.org/techniques/T1134/"
76[[rule.threat.technique.subtechnique]]
77id = "T1134.004"
78name = "Parent PID Spoofing"
79reference = "https://attack.mitre.org/techniques/T1134/004/"
80
81
82
83[rule.threat.tactic]
84id = "TA0005"
85name = "Defense Evasion"
86reference = "https://attack.mitre.org/tactics/TA0005/"

to-top