Parent Process PID Spoofing
Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/14"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID)
11of a new process to evade process-monitoring defenses or to elevate privileges.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Parent Process PID Spoofing"
18references = ["https://blog.didierstevens.com/2017/03/20/"]
19risk_score = 73
20rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2"
21severity = "high"
22tags = [
23 "Domain: Endpoint",
24 "OS: Windows",
25 "Use Case: Threat Detection",
26 "Tactic: Defense Evasion",
27 "Tactic: Privilege Escalation",
28 "Data Source: Elastic Defend",
29]
30type = "eql"
31
32query = '''
33/* This rule is compatible with Elastic Endpoint only */
34
35sequence by host.id, user.id with maxspan=3m
36
37 [process where host.os.type == "windows" and event.type == "start" and
38 process.Ext.token.integrity_level_name != "system" and
39 (
40 process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe",
41 "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe",
42 "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe",
43 "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or
44
45 (process.executable : ("?:\\Users\\*.exe",
46 "?:\\ProgramData\\*.exe",
47 "?:\\Windows\\Temp\\*.exe",
48 "?:\\Windows\\Tasks\\*") and
49 (process.code_signature.exists == false or process.code_signature.status : "errorBadDigest")) or
50
51 process.executable : "?:\\Windows\\Microsoft.NET\\*.exe"
52 ) and
53
54 not process.executable :
55 ("?:\\Windows\\System32\\WerFaultSecure.exe",
56 "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
57 "?:\\Windows\\System32\\WerFault.exe",
58 "?:\\Windows\\SysWOW64\\WerFault.exe")
59 ] by process.pid
60 [process where host.os.type == "windows" and event.type == "start" and
61 process.parent.Ext.real.pid > 0 and
62
63 /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */
64 not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") and
65
66 not process.executable :
67 ("?:\\Windows\\System32\\WerFaultSecure.exe",
68 "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe",
69 "?:\\Windows\\System32\\WerFault.exe",
70 "?:\\Windows\\SysWOW64\\WerFault.exe")
71 ] by process.parent.Ext.real.pid
72'''
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1134"
79name = "Access Token Manipulation"
80reference = "https://attack.mitre.org/techniques/T1134/"
81[[rule.threat.technique.subtechnique]]
82id = "T1134.004"
83name = "Parent PID Spoofing"
84reference = "https://attack.mitre.org/techniques/T1134/004/"
85
86
87
88[rule.threat.tactic]
89id = "TA0005"
90name = "Defense Evasion"
91reference = "https://attack.mitre.org/tactics/TA0005/"
92[[rule.threat]]
93framework = "MITRE ATT&CK"
94[[rule.threat.technique]]
95id = "T1134"
96name = "Access Token Manipulation"
97reference = "https://attack.mitre.org/techniques/T1134/"
98[[rule.threat.technique.subtechnique]]
99id = "T1134.004"
100name = "Parent PID Spoofing"
101reference = "https://attack.mitre.org/techniques/T1134/004/"
102
103
104
105[rule.threat.tactic]
106id = "TA0004"
107name = "Privilege Escalation"
108reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Expired or Revoked Driver Loaded
- Potential privilege escalation via CVE-2022-38028
- Service Control Spawned via Script Interpreter